locked
Issue with Cookie-Authentification and SignOut RRS feed

  • Question

  • User-318388241 posted

    Hello,

    we've a ASP.NET MVC5 application and using ASP.NET Identity and are encountering the following problem (it is reproducable with the default ASP.NET MVC Template).

    We use CookieAuthentification within OWIN. If we login and copy the value of the auth-cookie and then logout (calling AuthenticationManager.SignOut) the cookie from the client is removed.

    When I use a rest-client (like rester or something) and call a authorized method with a http header cookie and paste the value of the auth-cookie the server handles the request like authorized. Why does the SignOut() don't revoke the serverside auth? Where are the generated token handled? How can we change this?

    We appreciate any help.

    Thanks.

    Best regards, Spindlet.

    Thursday, August 15, 2019 11:05 AM

All replies

  • User475983607 posted

    spindlet

    When I use a rest-client (like rester or something) and call a authorized method with a http header cookie and paste the value of the auth-cookie the server handles the request like authorized. Why does the SignOut() don't revoke the serverside auth? Where are the generated token handled? How can we change this?

    Simply, cookie authentication is functioning as expected.  The presence of the authentication cookie indicates a successful authentication.  

    Identity has a security stamp validator which is a GUID that matches a GUID in the auth cookie.  Changing the GUID invalidates the auth cookie.  The validateInterval is the frequency that the validation is performed  - the GUID is checked.

    // Enables the application to validate the security stamp when the user logs in.
    // This is a security feature which is used when you change a password or add an external login to your account.  
    OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
        validateInterval: TimeSpan.FromMinutes(60),
        regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))

    Thursday, August 15, 2019 11:19 AM
  • User-318388241 posted

    Thanks for your anwser. In our application your prodived solution doesn't work. But you put us in the right direction.

                app.UseCookieAuthentication(new CookieAuthenticationOptions
    {
    AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
    LoginPath = new PathString("/Account/Login"),
    Provider = providerWrapper,
    SessionStore = new AuthenticationSessionStore(),
    CookiePath = "/",
    CookieName = cookieName,
    SlidingExpiration = true,
    ExpireTimeSpan = TimeSpan.FromMinutes(30)
    });

    We added the SessionStore property and implemented the interface. Now it is working like expected.

    Thanks!

    Wednesday, August 21, 2019 8:23 PM