we've a ASP.NET MVC5 application and using ASP.NET Identity and are encountering the following problem (it is reproducable with the default ASP.NET MVC Template).
We use CookieAuthentification within OWIN. If we login and copy the value of the auth-cookie and then logout (calling AuthenticationManager.SignOut) the cookie from the client is removed.
When I use a rest-client (like rester or something) and call a authorized method with a http header cookie and paste the value of the auth-cookie the server handles the request like authorized. Why does the SignOut() don't revoke the serverside auth? Where
are the generated token handled? How can we change this?
When I use a rest-client (like rester or something) and call a authorized method with a http header cookie and paste the value of the auth-cookie the server handles the request like authorized. Why does the SignOut() don't revoke the serverside auth? Where
are the generated token handled? How can we change this?
Simply, cookie authentication is functioning as expected. The presence of the authentication cookie indicates a successful authentication.
Identity has a security stamp validator which is a GUID that matches a GUID in the auth cookie. Changing the GUID invalidates the auth cookie. The
validateInterval is the frequency that the validation is performed - the GUID is checked.
// Enables the application to validate the security stamp when the user logs in.
// This is a security feature which is used when you change a password or add an external login to your account.
OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
validateInterval: TimeSpan.FromMinutes(60),
regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
None
0 Points
2 Posts
Issue with Cookie-Authentification and SignOut
Aug 15, 2019 11:05 AM|spindlet|LINK
Hello,
we've a ASP.NET MVC5 application and using ASP.NET Identity and are encountering the following problem (it is reproducable with the default ASP.NET MVC Template).
We use CookieAuthentification within OWIN. If we login and copy the value of the auth-cookie and then logout (calling AuthenticationManager.SignOut) the cookie from the client is removed.
When I use a rest-client (like rester or something) and call a authorized method with a http header cookie and paste the value of the auth-cookie the server handles the request like authorized. Why does the SignOut() don't revoke the serverside auth? Where are the generated token handled? How can we change this?
We appreciate any help.
Thanks.
Best regards, Spindlet.
All-Star
47601 Points
20862 Posts
Re: Issue with Cookie-Authentification and SignOut
Aug 15, 2019 11:19 AM|mgebhard|LINK
Simply, cookie authentication is functioning as expected. The presence of the authentication cookie indicates a successful authentication.
Identity has a security stamp validator which is a GUID that matches a GUID in the auth cookie. Changing the GUID invalidates the auth cookie. The validateInterval is the frequency that the validation is performed - the GUID is checked.
// Enables the application to validate the security stamp when the user logs in. // This is a security feature which is used when you change a password or add an external login to your account. OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>( validateInterval: TimeSpan.FromMinutes(60), regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))None
0 Points
2 Posts
Re: Issue with Cookie-Authentification and SignOut
Aug 21, 2019 08:23 PM|spindlet|LINK
Thanks for your anwser. In our application your prodived solution doesn't work. But you put us in the right direction.
We added the SessionStore property and implemented the interface. Now it is working like expected.
Thanks!