1

I am debugging into ASP.Net Identity 2.x assemblies since when I call Signout from an aspx Webforms page in an ASP.NET web site targetting .NET 4.8, the auth coookie never gets deleted and the user remains logged in.

The source code for Signout methods in ASP.Net Identity is as below.

My question is where exactly the auth cookie is getting deleted in this source code for Signout? Its quite complex for me to know which line of code deletes the auth cookie since my idea of deleting a cookie is to simply expire it followed by adding it to Response object and nowhere in the Signout source code is the cookie being expired.

When I debug, I am first taken to

SignOut(string[] authenticationTypes)

method in source code, which then calls

SignOut(AuthenticationProperties properties, string[] authenticationTypes)

in the same source code. The object priorGrant is null and also priorRevoke is null. The last line called in the source code is the one that says

AuthenticationResponseRevoke = new AuthenticationResponseRevoke(authenticationTypes, properties)

Code in my webforms aspx page:

Context.GetOwinContext().Authentication.SignOut(DefaultAuthenticationTypes.ApplicationCookie);

Source code that Visual Studio 2022 takes me when above code in my page is called (these methods are in Microsoft.Owin.Security.AuthenticationManager class)

public void SignOut(AuthenticationProperties properties, string[] authenticationTypes)
{
    AuthenticationResponseGrant priorGrant = AuthenticationResponseGrant;

    if (priorGrant != null)
    {
        // Scan the sign-in's and remove any with a matching auth type.
        ClaimsIdentity[] filteredIdentities = priorGrant.Principal.Identities
                    .Where(identity => !authenticationTypes.Contains(identity.AuthenticationType, StringComparer.Ordinal))
                    .ToArray();

        if (filteredIdentities.Length < priorGrant.Principal.Identities.Count())
        {
            if (filteredIdentities.Length == 0)
            {
                AuthenticationResponseGrant = null;
            }
            else
            {
                AuthenticationResponseGrant = new AuthenticationResponseGrant(new ClaimsPrincipal(filteredIdentities), priorGrant.Properties);
            }
        }
    }

    AuthenticationResponseRevoke priorRevoke = AuthenticationResponseRevoke;

    if (priorRevoke == null)
    {
        AuthenticationResponseRevoke = new AuthenticationResponseRevoke(authenticationTypes, properties);
    }
    else
    {
        if (properties != null && !object.ReferenceEquals(properties.Dictionary, priorRevoke.Properties.Dictionary))
        {
            // Update prior properties
            foreach (var propertiesPair in properties.Dictionary)
            {
                priorRevoke.Properties.Dictionary[propertiesPair.Key] = propertiesPair.Value;
            }
        }

        // Cumulative auth types
        string[] mergedAuthTypes = priorRevoke.AuthenticationTypes.Concat(authenticationTypes).ToArray();
        AuthenticationResponseRevoke = new AuthenticationResponseRevoke(mergedAuthTypes, priorRevoke.Properties);
    }
}

public void SignOut(string[] authenticationTypes)
{
    SignOut(new AuthenticationProperties(), authenticationTypes);
}
Improve this question
1
  • 2
    Sorry, a typo. Its supposed to be 4.8. I will edit it now. Commented Aug 28 at 13:16
Related questions
0
How to receive auth failure from ASP.NET MVC5+Identity server on .NET client?
17
Why is my ASP.NET MVC persistent auth cookie not working?
3
ASP.NET Identity Cookie compatibility between .NET Core and .NET
Load 2 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.