search

dotnet / AspNetCore.Docs

Documentation for ASP.NET Core
https://docs.microsoft.com/aspnet/core
Creative Commons Attribution 4.0 International
12.63k stars 25.3k forks source link

CookieAuthentication - Session Active after Signout #15730

Closed rahulsingii closed 4 years ago

rahulsingii commented 4 years ago

Issue description

I have implemented the mix of ASP.Net Cookie Authentication & OWIN OpenId authentication in my application. I am trying to fix a security flaw where the session is not invalidating even after logout.

Middleware Implementation:-

app.UseCookieAuthentication(
    new CookieAuthenticationOptions
         {
               AuthenticationType = CookieAuthenticationDefaults.AuthenticationType,
               .............

app.UseOpenIdConnectAuthentication(
                new OpenIdConnectAuthenticationOptions
                {
                    ClientId = clientId,
                    Authority = authority,

LogOut Code (Based on user type):-

HttpContext.GetOwinContext().Authentication.SignOut(OpenIdConnectAuthenticationDefaults.AuthenticationType, CookieAuthenticationDefaults.AuthenticationType);

HttpContext.GetOwinContext().Authentication.SignOut(CookieAuthenticationDefaults.AuthenticationType);

I am capturing the traffic in Fiddler and clicking sign-out from web page. When I try to re-issue the request from Fiddler, it's completing successfully and in HttpModule, the application.User.Identity.IsAuthenticated is True

Software versions

Check the .NET target framework(s) being used, and include the version number(s).

.NET Framework 4.5.2 Visual Studio 2019

Rick-Anderson commented 4 years ago

We're a doc team unable to provide support. You might try asking on SO. I

If you think this is a product bug, create the simplest possible sample that reproduces the problem and open an issue at GitHub ASP.NET Core

Include steps to reproduce the bug and the version you're using dotnet --version