Session is not involved with authentication cookies. You need to expire the authentication cookie. Try:
Request.GetOwinContext().Authentication.SignOut();
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hi Sir/Madam
I have web application using ASP.NET MVC 4.6 version.
In Startup, I am creating ApplicaitonCookie like below
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = "ApplicationCookie",
ExpireTimeSpan = System.TimeSpan.FromHours(8),
SlidingExpiration = false,
LoginPath = new PathString("/login/index")
```});
I would like to invalidate the cookie upon logout. For that I have written in below code.
HttpContext.GetOwinContext().Authentication.SignOut("ApplicationCookie");
var cookie = new HttpCookie("ApplicationCookie")
{
Expires = DateTime.Now.AddDays(-1),
Value = string.Empty
Response.Cookies.Add(cookie);
Session.RemoveAll();
Session.Abandon();
Session.Clear();
However after I logout, I can reuse the above created Cookie with in 2 hours.
Could you please advise how to invalidate the cookie upon logout?
Session is not involved with authentication cookies. You need to expire the authentication cookie. Try:
Request.GetOwinContext().Authentication.SignOut();
I understand that your development environment is:
First of all, keep in mind that there is no relation between the ASP.NET Identity and the ASP.NET Session. Their cookies are different.
(1) See image below which shows the request and response captured by the Fiddler. Note that both the authentication cookie (red underline) and Session Cookie (blue underline) are included in the request header.
(2) Below is the result of logoff operation. Note that response header includes empty and outdated authentication cookie (red underline). Also note that the server returned HTTP 302 (redirect).
(3) Below is the result of redirect operation. Since the authentication cookie received at above step (2) is outdated, browser automatically deleted the authentication cookie.
Note that the Session cookie (blue underline) still exists in the above image. It will never be deleted by Session.RemoveAll(), Session.Abandon() and Session.Clear() and will be reused until browser has been shut down.
First of all, keep in mind that there is no relation between the ASP.NET Identity and the ASP.NET Session. Their cookies are different and independent.
(1) See image below which shows the request and response captured by the Fiddler. Note that both the authentication cookie (red underline) and Session Cookie (blue underline) are included in the request header.
(2) Below is the result of logoff operation. Note that response header Set-Cookie includes empty and outdated authentication cookie (red underline). Also note that the server returned HTTP 302 (redirect).
(3) Below is the result of redirect operation. Note that there is no authentication cookie in the request header. Since the authentication cookie received at above step (2) is outdated, browser automatically deleted the authentication cookie.
Note that the Session cookie (blue underline) still exists. It will never be deleted by Session.RemoveAll(), Session.Abandon() and Session.Clear(). It will be reused until browser has been shut down.
Hi @Srinivas Balanagu,
I would like to invalidate the cookie upon logout. For that I have written in below code. HttpContext.GetOwinContext().Authentication.SignOut("ApplicationCookie");
It seems to me that you are close to the answer, and I see that you used the HttpContext.GetOwinContext().Authentication.SignOut()
method.
Just from the code, I think there may be some problems with the parameter AuthenticationType
you defined. If you custom the identity, you may need to use code like this when logging in:
var identity = await UserManager.CreateIdentityAsync(user, DefaultAuthenticationTypes.ApplicationCookie);
identity.AddClaim(new Claim("your-claim", "your-app-cookie-name"));
AuthenticationManager.SignIn(new AuthenticationProperties() { IsPersistent = isPersistent }, identity);
Otherwise, I suggest you use its default value: DefaultAuthenticationTypes.ApplicationCookie
. Like this:
HttpContext.GetOwinContext().Authentication.SignOut(
DefaultAuthenticationTypes.ApplicationCookie);
Best regards,
Xudong Peng
If the answer is the right solution, please click "Accept Answer" and kindly upvote. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.