2

I am having trouble invalidating .AspNetCore.Identity.Application cookie in ASP.NET Core Identity once the user log out.

Once user clicks on log out below code will execute.

   public async Task<IActionResult> Logout(LogoutInputModel model)
    {
        // build a model so the logged out page knows what to display
        LoggedOutViewModel loggedOutViewModel = await BuildLoggedOutViewModelAsync(model.LogoutId);

        _logger.LogInformation($"loggedOutViewModel : {JsonConvert.SerializeObject(loggedOutViewModel)}");

        if (User?.Identity.IsAuthenticated == true)
        {
            // delete local authentication cookie
            await _norskTakstSignInManager.SignOutAsync();

            //clear cookies
            var appCookies = Request.Cookies.Keys;
            foreach (var cookie in appCookies)
            {
                Response.Cookies.Delete(cookie);
            }

            // raise the logout event
            await _events.RaiseAsync(new UserLogoutSuccessEvent(User.GetSubjectId(), User.GetDisplayName()));
        }

        // check if we need to trigger sign-out at an upstream identity provider
        if (loggedOutViewModel.TriggerExternalSignout)
        {
            // build a return URL so the upstream provider will redirect back
            // to us after the user has logged out. this allows us to then
            // complete our single sign-out processing.
            string url = Url.Action("Logout", new { logoutId = loggedOutViewModel.LogoutId });

            // this triggers a redirect to the external provider for sign-out
            return SignOut(new AuthenticationProperties { RedirectUri = url }, loggedOutViewModel.ExternalAuthenticationScheme);
        }

        return View("LoggedOut", loggedOutViewModel);
    }

This successfully clears all the cookies in the browser, however, if I grab the value of the cookie named ".AspNetCore.Identity.Application" prior to signing out, then add it back in on to the browser, then i can log in to the application without entering user credentials.

enter image description here

I tested few flows setting up cookie expiration time in different ways but non of them seem to work correctly.

I want to know way to invalidate the cookie without just clearing to resolve this issue.Then user should not be able to enter cookie manually and log in to the system. Any help is hugly appreciated. Thank you.

Improve this question

2 Answers 2

Reset to default
2

That's by design... one thing you can do is try updating the user's security stamp after logout, using UserManager.UpdateSecurityStampAsync.

This way the cookie's security stamp won't match the one in the database and the cookie will no longer be valid (however, no other cookie issued to that user will, even if they haven't "signed out"... so if a user has several sessions opened, all of those cookies will stop being valid, not just the one you signed out).

Identity doesn't track specific user sessions (it just validates the cookie against the user, and if it matches, it matches). If you want to be able to selectively remove sessions, you'll have to track them yourself

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Hi thanks. I updated the user security stamp but still user is able to login using the previous cookie. Is there any other options which i can check here
@Priyankara no, I don't think so... take note that cookie validation might be cached. I'm not sure how does it work in Core, but in legacy ASP.Net there was some OWIN service you could use to invalidate this cache. Again, if you need grandular session security, your best bet would be implementing it yourself and invalidate the session ID (you can just make a middleware that invalidates it: the session ID comes in the cookie and you can read it), however, storing and managing the sessions is up to you
yes as I was unable to find a exact solution for this finally decided to go with this manual implementation. Hope this solve this issue
1

For me the best security practice is save every login and logout in one record with an unique random ID as GUID, then save this "id session" into the claims, and check this everytime the user access, if the ID in the claim is correct to that session.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.