Aug 15, 2019 11:05 AM|spindlet|LINK
we've a ASP.NET MVC5 application and using ASP.NET Identity and are encountering the following problem (it is reproducable with the default ASP.NET MVC Template).
We use CookieAuthentification within OWIN. If we login and copy the value of the auth-cookie and then logout (calling AuthenticationManager.SignOut) the cookie from the client is removed.
When I use a rest-client (like rester or something) and call a authorized method with a http header cookie and paste the value of the auth-cookie the server handles the request like authorized. Why does the SignOut() don't revoke the serverside auth? Where
are the generated token handled? How can we change this?
We appreciate any help.
Best regards, Spindlet.