How to invalidate ".AspNet.Cookies" cookie on logout?

Question

I have a .net application deployed to Azure. A penetration test finding called "Session Not Invalidated After Logout" is found.

When an API Get request is sent along with .AspNet.Cookies while user is logged in, a successful response is received as expected. Even after the user logs out, response is received when requested with same old cookie.

Please help how to invalidate .AspNet.Cookies cookie after log out. I have already tried with Session.Clear, Session.Abandon, setting -1 day to expire, removing cookies and nothing works.

Answer 1

deleting the cookie won't help, because this is just a request to the browser and the penetration test will ignore the request. you must add additional validation to the cookie. add a validation token, that is checked during cookie validation (the server saves in a persistent store). when you want to delete the cookie remove the validation token from the server, so if the cookie is reposted, it is not valid.

Answer 2

Even after the user logs out, response is received when requested with same old cookie.

Is your authentication system different form the ASP.NET Identity? If you use the ASP.NET Identity, the authentication cookie will be deleted during the logout operation and no "same old cookie" will be sent to the web server after logout:

Logout

The response header includes the authentication cookie with expires=Thu, 01-Jan-1970 00:00:00:

Redirect

When browser requests the url shown as the Location according to HTTP 302 response above, the authentication cookie will be deleted by the bowser and will not be sent to the server: