locked
microsoft Authentication: I cannot delete my site cookies to force reentering fresh credentials upon logging back in. RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote
    User-630224354 posted

    --Moved this here from msdn.

    I want to be able to log out of my site in a manner that forces the user to reenter his Microsoft credentials when attempting to log back in.

    To do this I presume that I have to delete the External Cookie relating to the Microsoft Login Info.

    I have tried a Large number of solutions to no avail: They are as follows:

    1: Signing out ALL current Authentication types

    var authTypes = AuthenticationManager.GetAuthenticationTypes().ToList();
var authTypeNames = new List<string>();

    foreach (var authType in authTypes)
            {
                if (!authTypeNames.Contains(authType.AuthenticationType))
                    authTypeNames.Add(authType.AuthenticationType);
            }
    Request.GetOwinContext().Authentication.SignOut(authTypeNames.ToArray());

    2: Clearing Session

    Session.Clear();

    3: Abandoning the Session

    Session.Abandon();

    4: Signing out just the applicationCookie

    AuthenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie);

    5: Signing out just the External Cookie

    AuthenticationManager.SignOut(DefaultAuthenticationTypes.ExternalCookie);

    6: marking the Application logout request Application Cookie for  Expiry

    if (Request.Cookies[".AspNet.ApplicationCookie"] != null)
            {
                HttpCookie myCookie = new HttpCookie(".AspNet.ApplicationCookie");
                myCookie.Expires = DateTime.Now.AddDays(-1d);
                Response.Cookies.Add(myCookie);
            }

    7: a number of other things

    This has to be possible.

    My startup file is a follows :

    app.UseCookieAuthentication(new CookieAuthenticationOptions
            {
                AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
                LoginPath = new PathString("/Account/Login"),
                Provider = new CookieAuthenticationProvider
                {
                    OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
                        validateInterval: TimeSpan.FromMinutes(30),
                        regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager)),
                }
                
            });
            app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);

           var ms = new Microsoft.Owin.Security.MicrosoftAccount.MicrosoftAccountAuthenticationOptions()
            {
                ClientId = "{My Client}",
                ClientSecret = "{My Secret}",
                
            };
            ms.Scope.Add("wl.emails");
            ms.Scope.Add("wl.basic");
            app.UseMicrosoftAccountAuthentication(ms);

    For some reason I just cannot force the deletion of the cookies. If I had, then the Method:  AuthenticationManager.GetExternalLoginInfoAsync() should return a null value. Not until I manually clear my cache, am i forced to reenter my credentials.

    I have seen a large number of threads about similar issues, but I have been unable to find a working solution.

    Friday, January 29, 2016 8:01 AM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote
    User-630224354 posted

    Three days of searching for a solution, and 1 hour after posting this, I found the solution in this forum thread:

    http://stackoverflow.com/questions/33131361/owin-authenticationmanager-signoutdefaultauthenticationtypes-applicationcookie

    The LiveID cookies CANNOT be deleted implicitly from the logout method.

    You have to redirect the User To a liveID logout page.

    And pass the ClientID and redirecturl as parameters.

    the returned url will still return you to a blank page, but this can be fixed by adding some code in the Global.asax.

    Heres how I solved my issue:

    The Logout Method

     [HttpPost]
 [ValidateAntiForgeryToken]
 public ActionResult LogOff()
 {
           
            if (Request.Cookies["ApplicationCookieName"] != null)
            {
                HttpCookie myCookie = new HttpCookie("ApplicationCookieName");
                myCookie.Expires = DateTime.Now.AddDays(-1);
                Response.Cookies.Add(myCookie);
            }

            var authTypes = AuthenticationManager.GetAuthenticationTypes().ToList();
            var authTypeNames = new List<string>();

            foreach (var authType in authTypes)
            {
                if (!authTypeNames.Contains(authType.AuthenticationType))
                    authTypeNames.Add(authType.AuthenticationType);
            }
            AuthenticationManager.SignOut(authTypeNames.ToArray());

            return Redirect("https://login.live.com/oauth20_logout.srf?client_id=(CLIENTID)&redirect_uri=(REDIRECTURI_FROM_ACCOUNT.LIVE.COM)");
}

    The Global Asax File:

    protected void Application_BeginRequest(Object sender, EventArgs e)
        {           
            var url = Request.Url;
            if (url.AbsoluteUri.Contains("signin-microsoft") && Request.QueryString["lc"] != null)
            {
                Response.Redirect(url.GetLeftPart(UriPartial.Authority));
            }

        }

    I could not have figured this out if it wasn't for the other forum thread, But I figured that I would spread the knowledge.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, January 29, 2016 9:38 AM