Home > Blockchain >  How to Invalidate AspNetCore.Identity.Application Cookie after user log out
How to Invalidate AspNetCore.Identity.Application Cookie after user log out

Time:11-30

I am having trouble invalidating .AspNetCore.Identity.Application cookie in ASP.NET Core Identity once the user log out.

Once user clicks on log out below code will execute.

   public async Task<IActionResult> Logout(LogoutInputModel model)
    {
        // build a model so the logged out page knows what to display
        LoggedOutViewModel loggedOutViewModel = await BuildLoggedOutViewModelAsync(model.LogoutId);

        _logger.LogInformation($"loggedOutViewModel : {JsonConvert.SerializeObject(loggedOutViewModel)}");

        if (User?.Identity.IsAuthenticated == true)
        {
            // delete local authentication cookie
            await _norskTakstSignInManager.SignOutAsync();

            //clear cookies
            var appCookies = Request.Cookies.Keys;
            foreach (var cookie in appCookies)
            {
                Response.Cookies.Delete(cookie);
            }

            // raise the logout event
            await _events.RaiseAsync(new UserLogoutSuccessEvent(User.GetSubjectId(), User.GetDisplayName()));
        }

        // check if we need to trigger sign-out at an upstream identity provider
        if (loggedOutViewModel.TriggerExternalSignout)
        {
            // build a return URL so the upstream provider will redirect back
            // to us after the user has logged out. this allows us to then
            // complete our single sign-out processing.
            string url = Url.Action("Logout", new { logoutId = loggedOutViewModel.LogoutId });

            // this triggers a redirect to the external provider for sign-out
            return SignOut(new AuthenticationProperties { RedirectUri = url }, loggedOutViewModel.ExternalAuthenticationScheme);
        }

        return View("LoggedOut", loggedOutViewModel);
    }

This successfully clears all the cookies in the browser, however, if I grab the value of the cookie named ".AspNetCore.Identity.Application" prior to signing out, then add it back in on to the browser, then i can log in to the application without entering user credentials.

I tested few flows setting up cookie expiration time in different ways but non of them seem to work correctly.

I want to know way to invalidate the cookie without just clearing to resolve this issue.Then user should not be able to enter cookie manually and log in to the system. Any help is hugly appreciated. Thank you.

CodePudding user response:

That's by design... one thing you can do is try updating the user's security stamp after logout, using UserManager.UpdateSecurityStampAsync.

This way the cookie's security stamp won't match the one in the database and the cookie will no longer be valid (however, no other cookie issued to that user will, even if they haven't "signed out"... so if a user has several sessions opened, all of those cookies will stop being valid, not just the one you signed out).

Identity doesn't track specific user sessions (it just validates the cookie against the user, and if it matches, it matches). If you want to be able to selectively remove sessions, you'll have to track them yourself

CodePudding user response:

For me the best security practice is save every login and logout in one record with an unique random ID as GUID, then save this "id session" into the claims, and check this everytime the user access, if the ID in the claim is correct to that session.

Page link:https//www.codepudding.com/Blockchain/209245.html

Prev:Extension host terminated unexpectedly issue with VS code
Next:How to pass comma separated value in attribute when input parameter is enum in c#
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding