Skip to content

Fix sign-out with ASP.Net Identity Core 2.1

For a new app I’m writing using ASP.Net MVC Core 2.1, EF Core 2.1 and ASP.Net Identity 2.1 I had to implement the sign-out / log-out functionality. You may ask why, because this is shipped with ASP.Net Core OOTB? Yes – it is. But in the default template with ASP.Net Identity Core EF 2.1 it does not work.

I think I can work but depends on the kind auf authentication you activate. I use token authentication via cookies. The logoff action shipped with ASP.Net Core 2.1 doesn’t work for this. It forward you to the log-off page telling you, that you have been logged out but actually you are still logged in.

I figured that the cookie with the authentication token is still present in the the browser session – even after you called the default logout action. The token-authentication works the way the server generate an encrypted authentication token (basically a string) that is passed forth and back using a cookie. The server validates this token with each request. Normally there is no server-side token-store or so. So there is no need to actively log-out on the server-side.

To fix it I implemented my own action which removes this cookie and then redirect to the start-page of my app. To do this more reliable I gave the authentication cookie my own custom name.

In ConfigureServices() in Startup.cs I placed the following code to configure authentication:

services.ConfigureApplicationCookie(options =>
{
    // Cookie settings
    options.Cookie.HttpOnly = true;
    options.ExpireTimeSpan = TimeSpan.FromMinutes(30);
    options.LoginPath = "/Identity/Account/Login";
    options.AccessDeniedPath = "/Identity/Account/AccessDenied";
    options.SlidingExpiration = true;
    options.Cookie.Name = GlobalConstants.AuthCookieName;
});

Check the custom name (stored in a global constant) for options.Cookie.Name.

Then I wrote my little logout action like this:

[Authorize]
[HttpGet]
public IActionResult Logout()
{
    Response.Cookies.Delete(GlobalConstants.AuthCookieName);
    return RedirectToAction("Index");
}

Finally I placed a link to this new Logout action in my user-menu.

That’s it. Hope it helps.

8 thoughts on “Fix sign-out with ASP.Net Identity Core 2.1 Leave a comment

  1. I have coded a login form. I don’t want it to logout automatically. On localhost, it doesn’t logout automatically, but on host server, it logs out whenever it wants (even while its active it logs out as well)

    Like

  2. I am vague on the GlobalConstants class. Or the value for:
    options.Cookie.Name = GlobalConstants.AuthCookieName;

    Like

  3. Hi Marc,

    As you rightly pointed out, when a user logs out, there’s no server side record of this. Hence, if I copy the application cookie to the clipboard or some other place using a chrome extension like “Cookie Editor”, I can easily log in without providing any credentials by just ‘pasting’ the copied cookies back. Is there a way to actually, sign out the user on the server side within the ASP.NET Core Identity framework? By ‘sign out’ I mean pasting the cookie values that were copied earlier must not log the user back once he has logged out.

    Regards,
    Ganesh

    Like

  4. Was logging off actually working in .Net Core 2.1, when you actually wrote the above piece of code? Was the user actually getting signed out on the server side?

    Regards,
    Ganesh

    Like

    • That was back in November 2018. I can’t remember about the server side but I think there was no server-call and therefore no server-side logout involved. Depending on your configuration the login token will expire sooner or later. Even if the user still “working” on your website a hacker can use his token if he/she get access to the token. That’s why normally connection should go over HTTPS so no man-in-the-middle can grab tokens etc.

      Liked by 1 person

      • The behavior currently being observed with .NET 5 is like this:
        1. User logs in using ASP.NET Identity framework’s login UI by providing email ID and password.
        2. He / she does some work and leaves the computer, for a break, without locking the desktop or logging out of the web app.
        3. Another user wanting to take advantage, sits at the computer and using a browser extension (like, Cookie Editor) copies the cookies and saves it to another location (like, a pen drive).
        4. Meanwhile, the first user comes back from the break and continues working. Finally, he or she logs out of the web app.
        5. The second user uses the saved cookies to login to the web app without having to provide the credentials.

        Am I missing something? Is this the way ASP.NET Core Identity is supposed to work?

        Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: