After Signout I am able to login using previous ApplicationCookie value

Jun 20, 2016 at 1:42 PM
Hi,

I am using MVC 5 with OWIN 3.0.1.0 in my project for authentication. I logged into the system and captured the .AspNet.ApplicationCookie value using Fiddler. After that I signedOut using below code , and try to access the link using the same cookie id , and able to login/access without prompting login screen. I also tried to delete and clear the cookies but no luck.

var ctx = Request.GetOwinContext();
        var authenticationManager = ctx.Authentication;
        authenticationManager.SignOut();
        Session.Clear();
        Session.Abandon();
Is there any way to fix this issue? How the OWIN framework authenticating after signout from application?
Coordinator
Jun 20, 2016 at 3:04 PM
Jun 20, 2016 at 4:30 PM
Thanks for reply.

I followed the same procedure as mentioned in the link but still am able to access the site using previous ".AspNet.ApplicationCookie" value after signed out. Below is the code of Startup.Auth.cs

app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            CookieManager = new SystemWebCookieManager(), //custom cookie class
            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
            LoginPath = new PathString("/Account/Login"),
            Provider = new CookieAuthenticationProvider
            {
                // Enables the application to validate the security stamp when the user logs in.
                // This is a security feature which is used when you change a password or add an external login to your account.  
                OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
                    validateInterval: TimeSpan.FromMinutes(30),
                    regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
            },
            SlidingExpiration = true,
            ExpireTimeSpan = TimeSpan.FromMinutes(60)
        });
Coordinator
Jun 20, 2016 at 4:42 PM
Wait, you're manually replaying the cookie? Katana does not have any built in protection against that. SignOut asks the client to delete the cookie, it does not invalidate it. However, if you use the Identity framework (with the SecurityStampValidator you referenced above), that invalidates the auth session in the user database and eventually the cookie will stop working (see the validationInterval). I think for that to work you need to be using the SignInManager rather than the AuthenticationManager to sign out.
Jun 20, 2016 at 5:21 PM
I bit confused on the above explanation. Can you please bit elaborate it or give sample code what I need to do in my code to resolve this issue?