Can't logoff identity MVC 5 (sometimes)

Question

Our website sometimes decides you can't log out, most of the time it works. Below are the basic guts of the matter. I have seen this problem with Chrome and IE on remote server and local testing using VS. It even decided to be a problem long enough with local testing to try to force deleting the session with clear/abandon and setting all the cookie dates to -1 day. Did not help.

Note as soon as I do F12 and clear the cookies for the domain the problem stops and the user is logged off. I have change the SignOut(...) as you see it and with out parameters, no change. Again this only happens sometimes so hard to test.

It seems like the system is unable to delete the cookies from the browser but I can't see a reason why and with different browsers it makes even less sense.

I am aware of this link, seems similar: Cannot logoff of identity MVC 5 application

Suggests on what to try or where to look, thanks.

Login
var user = await UserManager.FindAsync(model.Email, model.Password);
AuthenticationManager.SignOut(DefaultAuthenticationTypes.ExternalCookie);
AuthenticationManager.SignIn(new AuthenticationProperties() { IsPersistent = true }, await user.GenerateUserIdentityAsync(UserManager));

[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult LogOff()
{
   AuthenticationManager.SignOut(DefaultAuthenticationTypes.ExternalCookie);
   return RedirectToAction("Index", "Home");
}

Edit: Looking in Chrome F12-Cookies. If I just delete the .AspNet.ApplicationCookie and try to navigate I am logged of. Press the logoff option still does not work. I sees that the cookie expires in 14 days and the date does not change. Really seems like either the default system is not trying to expire the cookie or is not allowed too. Is the source code for this available yet?

Answer 1

I think I know what the problem is here - although I'm not sure how to fix it, such is the mess of documentation for asp.net identity sometimes ;(

I had exactly the same symptoms. The key issue is, do you use a SecurityStampValidator that verifies and recreates (if needed) your cookie?

I do, and mine is set to validate very frequently (from my Startup.auth):

Provider = new CookieAuthenticationProvider
{
    // Enables the application to validate the security stamp when the user logs in.
    // This is a security feature which is used when you change a password or add an external login to your account.  
    OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, User, int>(
        validateInterval: TimeSpan.FromMinutes(1), 
        regenerateIdentityCallback: (manager, user) =>
        {
            return user.GenerateUserIdentityAsync(manager);
        },
        getUserIdCallback: id => (int.Parse(id.GetUserId()))
        ),
},

So assuming that you have similar code - how do you recreate. Simple - log in, hit a page on your app, then wait for the defined validateInterval to lapse - so for me, wait 1 minue. After 1 minute, log off. Boom. I'm not logged off.

Now, the issue here is that the GenerateUserIdentiyAsync method RECREATES your auth cookie, right after the signout has happened. I've verified that with logging - the _authenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie); in my LogOff action is happening, and then the cookie gets regenerated. Doh.

How to fix - well the obvious thing is to increase the validateInterval, but that impacts security - If someone is logged on to 2 computers, and changes their password, I'd like both accounts to be logged out pretty swiftly - which is what this does.

So, that's (probably) the cause. Sorry I can't offer a nice fix :(

Answer 2

I had the same problem with not being able to log off after some time using ASP.NET MVC 5 and Google Chrome and has just found the solution in the post: ASP.Net MVC 5 w/identity 2.2.0 Log off not working. The problem has been solved for now, but I will need to test it for some more time because it is intermittent issue. There are people in this post who confirm their issue is also resolved. So, give it a try!