Share via

OWIN - Cookie .AspNet.ApplicationCookie in Authentication.SignOut()

S.Marabot 21 Reputation points
2022-09-29T15:43:05.923+00:00

I have a .Net site with MVC.
When I log out, you can use the same cookie to login in the site (copying the value of .AspNet.ApplicationCookie)

My code is:
AuthenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie);
return RedirectToAction("Login","Account");

Cookie expire in 10 minutes if you don´t used it, but you can log in by copying it to another browser or another PC.
How can one override the use of the same value already used in .AspNet.ApplicationCookie?

I have already tried with Session.Clear, Session.Abandon, setting -1 day to expire, removing cookies and nothing works, I can always log in

Developer technologies | ASP.NET | Other
0 comments
Answer accepted by question author
  1. Bruce (SqlWork.com) 81,976 Reputation points Volunteer Moderator
    2022-09-29T16:06:14.88+00:00

    all signout does is tell the browser to expire the cookie.

    if you need to invalidate the cookie you will need to add additional validation. you will need to store a key value from the cookie in persistant storage on create cookie. on sign out, mark as invalid. on cookie validation, you will need to check persistant store.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. QiYou-MSFT 4,341 Reputation points Microsoft External Staff
    2022-09-30T08:46:48.447+00:00

    Hi @S.Marabot ,
    In fact, when you use 

     AuthenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie);

    Your browser will delete the cookie . In order to store cookies and overwrite cookies after signout, we can store the cookie's data on the server's hard drive. 

    HttpCookie cookie = new HttpCookie("MyCookie");  
            DateTime dt = DateTime.Now;  
            TimeSpan ts = new TimeSpan(0, 0, 1, 0, 0);  
            cookie.Expires = dt.Add(ts);  
            string userid_value = Request["userid"];  
            string psw_value = Request["psw"];  
            cookie.Values.Add("userid", userid_value);  
            cookie.Values.Add("psw", psw_value);  
            Response.AppendCookie(cookie);  
            string path = "C:\\Users\\Administrator\\Desktop\\Test";  
  
            using (FileStream stream =File.Open(path, FileMode.OpenOrCreate, FileAccess.Write))  
            {  
                    stream.Seek(0, SeekOrigin.Begin);  
                    stream.SetLength(0);  
            }  
            using (StreamWriter writer = new StreamWriter(path, true))  
            {  
                writer.WriteLine(userid_value);  
                writer.WriteLine(psw_value);  
                  
            }

    Stored locally for a long time without being deleted after logoff, the txt folder can also be emptied before each read using code. 

    using (FileStream stream = File.Open(path, FileMode.OpenOrCreate, FileAccess.Write))  
        {  
            stream.Seek(0, SeekOrigin.Begin);  
            stream.SetLength(0);  
        }

    In the example, I store the data in the txt folder of the local desktop, and when your project is online, you can store it in the server, and the path can be modified. Again, if you have a more precise request, please let me know.

    Best regards,
    Qi You

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.