How to invalidate .AspNet.ApplicationCookie Cookie in ASP.NET MVC 4.6.2

Srinivas Balanagu 0 Reputation points
2024-09-16T07:36:43.33+00:00

Hi Sir/Madam

I have web application using ASP.NET MVC 4.6 version.

In Startup, I am creating ApplicaitonCookie like below

app.UseCookieAuthentication(new CookieAuthenticationOptions

{

AuthenticationType = "ApplicationCookie",

ExpireTimeSpan = System.TimeSpan.FromHours(8),

SlidingExpiration = false,

LoginPath = new PathString("/login/index")
```});

I would like to invalidate the cookie upon logout. For that I have written in below code.

HttpContext.GetOwinContext().Authentication.SignOut("ApplicationCookie");

var cookie = new HttpCookie("ApplicationCookie")

{

Expires = DateTime.Now.AddDays(-1),

Value = string.Empty


Response.Cookies.Add(cookie);

Session.RemoveAll();

Session.Abandon();

Session.Clear();

However after I logout, I can reuse the above created Cookie with in 2 hours. 

Could you please advise how to invalidate the cookie upon logout?

ASP.NET
ASP.NET
A set of technologies in the .NET Framework for building web applications and XML web services.
3,488 questions
C#
C#
An object-oriented and type-safe programming language that has its roots in the C family of languages and includes support for component-oriented programming.
10,929 questions
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. Bruce (SqlWork.com) 65,231 Reputation points
    2024-09-16T17:12:22.3633333+00:00

    Session is not involved with authentication cookies. You need to expire the authentication cookie. Try:

    Request.GetOwinContext().Authentication.SignOut();
    

  2. SurferOnWww 2,816 Reputation points
    2024-09-17T01:22:40.8366667+00:00

    I understand that your development environment is:

    • Visual Studio 2022
    • ASP.NET MVC5
    • .NET Framework 4.6.2
    • ASP.NET Identity

    First of all, keep in mind that there is no relation between the ASP.NET Identity and the ASP.NET Session. Their cookies are different.

    (1) See image below which shows the request and response captured by the Fiddler. Note that both the authentication cookie (red underline) and Session Cookie (blue underline) are included in the request header.

    enter image description here

    (2) Below is the result of logoff operation. Note that response header includes empty and outdated authentication cookie (red underline). Also note that the server returned HTTP 302 (redirect).

    enter image description here

    (3) Below is the result of redirect operation. Since the authentication cookie received at above step (2) is outdated, browser automatically deleted the authentication cookie.

    enter image description here

    Note that the Session cookie (blue underline) still exists in the above image. It will never be deleted by Session.RemoveAll(), Session.Abandon() and Session.Clear() and will be reused until browser has been shut down.

    0 comments No comments

  3. SurferOnWww 2,816 Reputation points
    2024-09-17T02:21:08.6966667+00:00

    First of all, keep in mind that there is no relation between the ASP.NET Identity and the ASP.NET Session. Their cookies are different and independent.

    (1) See image below which shows the request and response captured by the Fiddler. Note that both the authentication cookie (red underline) and Session Cookie (blue underline) are included in the request header.

    enter image description here

    (2) Below is the result of logoff operation. Note that response header Set-Cookie includes empty and outdated authentication cookie (red underline). Also note that the server returned HTTP 302 (redirect).

    enter image description here

    (3) Below is the result of redirect operation. Note that there is no authentication cookie in the request header. Since the authentication cookie received at above step (2) is outdated, browser automatically deleted the authentication cookie.

    enter image description here

    Note that the Session cookie (blue underline) still exists. It will never be deleted by Session.RemoveAll(), Session.Abandon() and Session.Clear(). It will be reused until browser has been shut down.

    0 comments No comments

  4. XuDong Peng-MSFT 10,511 Reputation points Microsoft Vendor
    2024-09-17T03:48:20.22+00:00

    Hi @Srinivas Balanagu,

    I would like to invalidate the cookie upon logout. For that I have written in below code. HttpContext.GetOwinContext().Authentication.SignOut("ApplicationCookie");

    It seems to me that you are close to the answer, and I see that you used the HttpContext.GetOwinContext().Authentication.SignOut() method.

    Just from the code, I think there may be some problems with the parameter AuthenticationType you defined. If you custom the identity, you may need to use code like this when logging in:

    var identity = await UserManager.CreateIdentityAsync(user, DefaultAuthenticationTypes.ApplicationCookie);
    identity.AddClaim(new Claim("your-claim", "your-app-cookie-name"));
    AuthenticationManager.SignIn(new AuthenticationProperties() { IsPersistent = isPersistent }, identity);
    

    Otherwise, I suggest you use its default value: DefaultAuthenticationTypes.ApplicationCookie. Like this:

    HttpContext.GetOwinContext().Authentication.SignOut(
    DefaultAuthenticationTypes.ApplicationCookie);
    

    Best regards,

    Xudong Peng


    If the answer is the right solution, please click "Accept Answer" and kindly upvote. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.