Fix sign-out with ASP.Net Identity Core 2.1
For a new app I’m writing using ASP.Net MVC Core 2.1, EF Core 2.1 and ASP.Net Identity 2.1 I had to implement the sign-out / log-out functionality. You may ask why, because this is shipped with ASP.Net Core OOTB? Yes – it is. But in the default template with ASP.Net Identity Core EF 2.1 it does not work.
I think I can work but depends on the kind auf authentication you activate. I use token authentication via cookies. The logoff action shipped with ASP.Net Core 2.1 doesn’t work for this. It forward you to the log-off page telling you, that you have been logged out but actually you are still logged in.
I figured that the cookie with the authentication token is still present in the the browser session – even after you called the default logout action. The token-authentication works the way the server generate an encrypted authentication token (basically a string) that is passed forth and back using a cookie. The server validates this token with each request. Normally there is no server-side token-store or so. So there is no need to actively log-out on the server-side.
To fix it I implemented my own action which removes this cookie and then redirect to the start-page of my app. To do this more reliable I gave the authentication cookie my own custom name.
In ConfigureServices() in Startup.cs I placed the following code to configure authentication:
services.ConfigureApplicationCookie(options =>
{
// Cookie settings
options.Cookie.HttpOnly = true;
options.ExpireTimeSpan = TimeSpan.FromMinutes(30);
options.LoginPath = "/Identity/Account/Login";
options.AccessDeniedPath = "/Identity/Account/AccessDenied";
options.SlidingExpiration = true;
options.Cookie.Name = GlobalConstants.AuthCookieName;
});
Check the custom name (stored in a global constant) for options.Cookie.Name.
Then I wrote my little logout action like this:
[Authorize]
[HttpGet]
public IActionResult Logout()
{
Response.Cookies.Delete(GlobalConstants.AuthCookieName);
return RedirectToAction("Index");
}
Finally I placed a link to this new Logout action in my user-menu.
That’s it. Hope it helps.
Categories
marcduerst.com 
I have coded a login form. I don’t want it to logout automatically. On localhost, it doesn’t logout automatically, but on host server, it logs out whenever it wants (even while its active it logs out as well)
LikeLike
I am vague on the GlobalConstants class. Or the value for:
options.Cookie.Name = GlobalConstants.AuthCookieName;
LikeLike
thanks, fits my need perfectly!
LikeLike
Hi Marc,
As you rightly pointed out, when a user logs out, there’s no server side record of this. Hence, if I copy the application cookie to the clipboard or some other place using a chrome extension like “Cookie Editor”, I can easily log in without providing any credentials by just ‘pasting’ the copied cookies back. Is there a way to actually, sign out the user on the server side within the ASP.NET Core Identity framework? By ‘sign out’ I mean pasting the cookie values that were copied earlier must not log the user back once he has logged out.
Regards,
Ganesh
LikeLike
Not that I know but things may changed as we currently are on .Net 5. You may like to ask this the .Net Team of Microsoft.
LikeLiked by 1 person
Was logging off actually working in .Net Core 2.1, when you actually wrote the above piece of code? Was the user actually getting signed out on the server side?
Regards,
Ganesh
LikeLike
That was back in November 2018. I can’t remember about the server side but I think there was no server-call and therefore no server-side logout involved. Depending on your configuration the login token will expire sooner or later. Even if the user still “working” on your website a hacker can use his token if he/she get access to the token. That’s why normally connection should go over HTTPS so no man-in-the-middle can grab tokens etc.
LikeLiked by 1 person
The behavior currently being observed with .NET 5 is like this:
1. User logs in using ASP.NET Identity framework’s login UI by providing email ID and password.
2. He / she does some work and leaves the computer, for a break, without locking the desktop or logging out of the web app.
3. Another user wanting to take advantage, sits at the computer and using a browser extension (like, Cookie Editor) copies the cookies and saves it to another location (like, a pen drive).
4. Meanwhile, the first user comes back from the break and continues working. Finally, he or she logs out of the web app.
5. The second user uses the saved cookies to login to the web app without having to provide the credentials.
Am I missing something? Is this the way ASP.NET Core Identity is supposed to work?
LikeLike