CODEWITHSUNDEEP
asp.net-mvcasp.net-mvc-4authentication
MR.ABC
MR.ABC

Reputation: 4862

WebSecurity.Logout WebSecurity.IsAuthenticated == True

WebSecurity.IsAuthenticated is true after WebSecurity.Logout, because the response need to be completed before a change of the property for cookie reasons. I redirect for that reason via javascript again. In the second response is often WebSecurity.IsAuthenticated == true as well. I don't know why. Seems random to me. Any way to get WebSecurity.IsAuthenticated == false after logout? Maybe it's an caching problem.

_Layout.cshtml

<body>
    @{Html.RenderAction("Header", "Menu", new { area = "" });}        
    @RenderBody()
</body>

MenuController.cs

[OutputCache(Duration = 1, VaryByParam = "*")]
public class MenuController : Controller
{
    [ChildActionOnly]
    public ActionResult Header()
    {
        return PartialView("~/Views/Shared/_Header.cshtml");
    }
}

Logout.cshtml

<h2>Logout</h2>

<script type="text/javascript">
$(document).ready(function () {
    if ('@WebSecurity.IsAuthenticated' == "True") {
        window.location.reload(true);
    }
});
</script>

AccountController.cs

    public ActionResult Logout()
    {
        if (WebSecurity.IsAuthenticated) 
        {
            WebSecurity.Logout();
            Session.Abandon();

            var url = Url.Action("Logout", new { controller = "Account", area = "SomeArea" });
            Response.RemoveOutputCacheItem(url);
        }

        return View();
    }

HTTP/1.1 200 OK Cache-Control: public, max-age=1 Content-Type: text/html; charset=utf-8 Content-Encoding: gzip Expires: Mon, 16 Feb 2015 20:47:56 GMT Last-Modified: Mon, 16 Feb 2015 20:47:55 GMT Vary: Accept-Encoding Server: Microsoft-IIS/8.0 X-AspNetMvc-Version: 4.0 X-AspNet-Version: 4.0.30319 X-SourceFiles: =?UTF-8?B?RDpcUHJvamVjdHNcU29mdHdhcmVcbXZjLXRlbXBcbXZjLndlYlxWZW5kb3JcQWNjb3VudFxMb2dvdXQ=?= X-Powered-By: ASP.NET Access-Control-Allow-Origin: * Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS Date: Mon, 16 Feb 2015 20:47:54 GMT Content-Length: 1633 HTTP/200 responses are cacheable by default, unless Expires, Pragma, or Cache-Control headers are present and forbid caching. HTTP/1.0 Expires Header is present: Mon, 16 Feb 2015 20:47:56 GMT

HTTP/1.1 Cache-Control Header is present: public, max-age=1 public: This response MAY be cached by any cache. max-age: This resource will expire in ,02 minutes. [1 sec]

HTTP/1.1 Vary Header is present: Accept-Encoding The cache MUST contact the server to verify freshness unless the value of the headers named match those of the request that generated the cache entry.

Note: IE has limited support for Vary. See http://fiddler2.com/r/?ievary

!! WARNING: Responses which VARY should specify an ETAG to enable conditional revalidation requests.

HTTP Last-Modified Header is present: Mon, 16 Feb 2015 20:47:55 GMT This response did not set any cookies. This response did not contain a P3P Header.

Tested with Chrome, Firefox..

Upvotes: 0

Views: 973

Answers (2)

Luba
Luba

Reputation: 495

Checking if IsAuthenticated and change the visibility states.

$(document).ready(function () {
    $.ajax({
        type: "GET",
        url: "/SomeArea/Account/IsAuthenticated",
        cache: false
    })
    .done(function (isAuth) {
        if (isAuth == "True") {
            $(".auth").show();
            $(".no-auth").hide();
        }
        else {
            $(".auth").hide();
            $(".no-auth").show();
        }
    });
});

Upvotes: 1

Kees
Kees

Reputation: 1418

The OutputCache attribute caches the page/response content including the outcome of the piece of code where you evaluate the @WebSecurity.IsAuthenticated on the server side. In your MVC view the client script looks like this:

$(document).ready(function () {
    if ('@WebSecurity.IsAuthenticated' == "True") {
        window.location.reload(true);
    }
});

While your cached response gets sent to the browser: (even when logged out)

$(document).ready(function () {
    if ('True' == "True") {
        window.location.reload(true);
    }
});

Conclusion: @WebSecurity.IsAuthenticated is evaluated only once on the server and then cached as part of the response body for each subsequent request that comes within the duration of the OutputCache where not varied by any parameter.

Solution: [OutputCache(VaryByHeader="Cookie",Duration=1)] or remove the OutputCache attribute from the controller method.

Another thing you can do is redirect to the logout page with an unique parameter:

$(document).ready(function () {
    if ('@WebSecurity.IsAuthenticated' == "True") {
        window.location = window.location + '&uniqueParameter=' + GenerateRandom();
    }
});

function GenerateRandom()
{
 ...
}

The above will work with your current OutputCache attribute set to VaryByParam

What is your idea about using output cache like this?

Upvotes: 0

Related Questions