Share via

Unable to logout a user because of browser cache. User gets login automatically after logout.

Noshairwan Farooq 1 Reputation point
2022-12-26T11:43:04.193+00:00

I have used Azure AD B2C User Flow to login a user in my application.
I have added the [Authorize] Attribute on my Controller Action Method. 

[Authorize]  
public IActionResult AuthenticateUser()  
{  
       return RedirectToAction("LoginUser", profile);  
}

Here is my ConfigureServices Method in Startup.cs (just for reference) 

public void ConfigureServices(IServiceCollection services)  
{  
  
          services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)  
          .AddMicrosoftIdentityWebApp(Configuration, "AzureAd")  
          .EnableTokenAcquisitionToCallDownstreamApi(new string[] { "" })  
          .AddDownstreamWebApi("MyApi", Configuration.GetSection("MyApi"))  
          .AddInMemoryTokenCaches();  
}

Now user login is working fine, and then I try to logout user like this: 

    public IActionResult LogoutUser()  
    {  
        try  
        {  
             
            HttpContext.SignOutAsync(OpenIdConnectDefaults.AuthenticationScheme);  
            HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);  

        }  
        catch { }  
        finally  
        {  
            HttpContext.Session.Clear();  
        }  

        string logoutUrl = "https://MY_WEB_APP.b2clogin.com/MY_WEB_APP.onmicrosoft.com/b2c_1_ss_signin_signup_uf/oauth2/v2.0/logout?post_logout_redirect_uri=https://MY_WEB_APP.com/my_logout_redirect_url";  
          
        return Redirect(logoutUrl);  
    }

But after logout when I get back to the AuthenticateUser Action method in my application it automatically authenticates the user I just sign out from.
May be its because of browser cache that is automatically signing the user again on the User Flow Login Page.

Developer technologies | ASP.NET | ASP.NET Core
Microsoft Security | Microsoft Entra | Microsoft Entra External ID
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Noshairwan Farooq 1 Reputation point
    2022-12-27T09:45:13.713+00:00

    I solved my problem with following fix.

    1. In my Logout Action Method I Signed Out like this. HttpContext.SignOutAsync(OpenIdConnectDefaults.AuthenticationScheme);
      HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);

    2) Created a page where users will be redirected after logout and added this JavaScript code on that page:

    <script>  
    deleteAllCookies();  

    function deleteAllCookies() {  
        console.log("deleting cookies..");  
        const cookies = document.cookie.split(";");  

        for (let i = 0; i < cookies.length; i++) {  
            const cookie = cookies[i];  
            const eqPos = cookie.indexOf("=");  
            const name = eqPos > -1 ? cookie.substr(0, eqPos) : cookie;  
            document.cookie = name + "=;expires=Thu, 01 Jan 1970 00:00:00 GMT";  
        }  
    }  
</script>

    3) Added the save JavaScript above in my B2C User Flow custom design page.

    0 comments
  2. Shweta Mathur 30,426 Reputation points Microsoft Employee Moderator
    2022-12-27T09:54:19.703+00:00

    Hi @Noshairwan Farooq ,

    Thanks for reaching out.

    I am glad you are able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I'll repost your solution in case you'd like to "Accept" the answer.

    274285-image.png

    Also, alternative would be to redirect using &prompt=loginin your auth url will revoke your login request without user session.

    Thanks,
    Shweta

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.