Session cookie(s) not removed after logout with MVC hybrid client

[XplMarcel]

If i logout using my MVC client, the browser gets correctly redirected to the /endsession endpoint, which in turn calls the Logout on the AccountController.

    [HttpPost]
    [ValidateAntiForgeryToken]
    public async Task<IActionResult> Logout(LogoutInputModel model)
    {
      // build a model so the logged out page knows what to display
      var vm = await BuildLoggedOutViewModelAsync(model.LogoutId);

      if (User?.Identity.IsAuthenticated == true)
      {
        // delete local authentication cookie
        await HttpContext.SignOutAsync();       
      }
     return View("LoggedOut", vm);
    }

However, after returning to the MVC client the idsrv.session cookie and .AspNetCore.Identity.Application cookie are still present in the browser. Isn't the HttpContext.SignOutAsync() responsible for removing those local cookies ?
How should i remove those cookies to prevent auto-logins ?

Thanks in advance.

[brockallen]

Isn't the HttpContext.SignOutAsync() responsible for removing those local cookies ?

It clears the default signout scheme. Sounds like there might be some misconfig in your ASP.NET authentication schemes.

[brockallen]

All set on this issue -- can we close?

[cxheun]

Hi @brockallen, please don't close yet. I'm currently having this issue. How do I resolve should it be a misconfiguration in the authentication scheme?

"Sounds like there might be some misconfig in your ASP.NET authentication schemes."

[fawadali123]

Hello @cxheun ,

Any Update on it? I'm facing same issue. i cannot logout from my MVC client application.

[mhxjbw]

For what it's worth, I'm having the same problem. Logout works just fine, but the cookie remains. I haven't been able to get rid of it.

[kevdever]

I'm having the same issue. In the client, the logout appears successful, but the Identity.Application cookie lingers, so if I navigate back to an authorized page, I'm automatically signed-in again. Manually deleting the cookie solves the problem. The server logs indicate a successful result from EndSession.

This occurs when running the AspIdentity quickstart, modified slightly to run in Asp.Net Core 2.1 (the only real difference is a route hack to strip out the "/Identity" area routes).

[mhxjbw]

I found what fixes it on my end, though I'm not sure why my previous code, copied from the samples/forums, didn't work and do precisely the same thing. Here's the logout code from my account controller in my MVC 5 client app:

[HttpPost] [ValidateAntiForgeryToken] public IActionResult Logout() { return SignOut("Cookies", "oidc"); }

That makes it work as expected. I'm still using an implicit model, but perhaps that can help you somehow as well? I find this whole project a wonderful contribution but very confusing to use. I expect that's a by-product of the whole authentication/authorization business being so complicated these days.

[jayoma]

@mhxjbw even your suggestion didn't work for me, for some reason.

Here is what DID work for me: if you are using the Quickstart UI AND leveraging ASP.NET Core Identity, you'll want to swap a line in the Logout action method of the IdentityServer implementation:

[HttpPost]
[ValidateAntiForgeryToken]
public async Task<IActionResult> Logout(LogoutFormModel model)
{
    // build a model so the logged out page knows what to display
    var vm = await BuildLoggedOutViewModelAsync(model.LogoutId);

    if (User?.Identity.IsAuthenticated == true)
    {
        // delete local authentication cookie
        //await HttpContext.SignOutAsync(); // <-- replace this line
        await _signInManager.SignOutAsync(); // <-- with this one

        // raise the logout event
        await _events.RaiseAsync(new UserLogoutSuccessEvent(User.GetSubjectId(), User.GetDisplayName()));
    }

    return View("LoggedOut", vm);
}

If you're NOT using the SignInManager w/ ASP.NET Identity, I think I can still shed some light. It seems that the problem is stemming from the fact that the await HttpContext.SignOutAsync(); call within IS4's Logout action is not properly targeting IdentityServer's authentication scheme: "Identity.Application". If you manually supply that scheme, it works:

await HttpContext.SignOutAsync("Identity.Application");

[brockallen]

Yes, when you're using ASP.NET Identity they wire up internally their own cookie scheme, so you need to use their API to revoke their cookie as well.

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.