How to expire Authentication Cookie in ASP.NET MVC5.

Question

How to expire Authentication Cookie in ASP.NET MVC5.

I'm trying these following code.

I use AuthenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie) to SignOut the web page.

But It's seem to doesn't work correctly, It could access again in same http request including with using same Authentication Cookie.

how do I change the code for fix this matter.

        // POST: /Account/LogOff
        [HttpPost]
        [ValidateAntiForgeryToken]
        public ActionResult LogOff()
        {
            AuthenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie);
 
            Session.RemoveAll();
            Session.Abandon();
            Session.Clear();

            Response.Cookies.Clear();

            return RedirectToAction("Index", "Home");
        }

Anonymous

2023-06-26T09:39:31.1833333+00:00
Hi @片平　賢太郎 / katahira kentarou,

The default code generated like below and it works well for me.

// // POST: /Account/LogOff [HttpPost] [ValidateAntiForgeryToken] public ActionResult LogOff() { AuthenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie); return RedirectToAction("Index", "Home"); }

Now it not works for you, could you share me more details, like which browser you use, what the version of .net framework you are using and so on.

If we could reproduce the issue in our side, we could check the issue deeply. The code about AuthenticationManager.SignOut should work, we need to figure out why it not works. Usually, we can make the cookie expired by setting the expire time. And I also could see you have already remove the cookie, but it still not works. That why I need more details above.

And I also find the similiar issue, you can check it.

Best Regards
Jason

2 answers

Your answer

Anonymous

2023-06-26T09:39:31.1833333+00:00

Hi @片平　賢太郎 / katahira kentarou,

The default code generated like below and it works well for me.

// // POST: /Account/LogOff [HttpPost] [ValidateAntiForgeryToken] public ActionResult LogOff() { AuthenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie); return RedirectToAction("Index", "Home"); }

Now it not works for you, could you share me more details, like which browser you use, what the version of .net framework you are using and so on.

If we could reproduce the issue in our side, we could check the issue deeply. The code about AuthenticationManager.SignOut should work, we need to figure out why it not works. Usually, we can make the cookie expired by setting the expire time. And I also could see you have already remove the cookie, but it still not works. That why I need more details above.

And I also find the similiar issue, you can check it.

Best Regards
Jason

Answer 1

Ryan Jusay 165

Add this after your line:

AuthenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie);

    // Expire the cookie by setting its expiration date to a past date
    var cookie = new HttpCookie("YourAuthCookieName")
    {
        Expires = DateTime.UtcNow.AddDays(-1)
    };
    
    // Add the expired cookie to the response to update the client's cookie
    Response.Cookies.Add(cookie);

Make sure to replace "YourAuthCookieName" with the actual name of your authentication cookie.

Answer 2

Bruce (SqlWork.com) 77,686 Volunteer Moderator

Your scenario is not clear. The delete cookie, just sends the cookie back to the browser as expired. The cookie is not invalided, the browser just will not send it anymore. If you are using a tool, it may not honor the delete.

also if you are using single sign on, often the login server has its own cookie, so it can login the user without asking for credentials. If home/index requires authentication, than this could be happening.

Share via

How to expire Authentication Cookie in ASP.NET MVC5.

2 answers

Your answer