This project has moved. For the latest updates, please go here.
2

Closed

ASP.Net Identity Signout Fails

description

Signout fails, if the Log Off request is the first one after the security stamp expires and needs to be validated. It seems that the security stamp validation code does not detect the fact that the user was signed out during the same request and issues a new security stamp.

Steps to reproduce:
  • Create a new ASP.Net Web Application Project (I used VS 2013 Update 3). Make sure to include MVC and leave the default "Indivisual User Accounts" authentication.
  • Edit Startup.Auth.cs and change the validateInterval to a minute or two. This does not affect the issue, but makes it easy to reproduce, as you don't have to wait the default 30 minutes, before trying to log off:
OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
    validateInterval: TimeSpan.FromMinutes(2),...
  • Run the project, register a user and log in. Note the login time.
  • Wait for an amount equal to the validateInterval.
  • Click the Log Out button. This should cause a page refresh, but you will notice that you are still logged in. If you were observing cookie exchanges, you would have noticed that the server issued a new application cookie as part of this request, consistent with the fact that a new security stamp was issued.
Notes:
  • A second click on the Log Off button does achieve a signout, as long as you don't wait until the next security stamp validation.
  • One does not have to remain idle before hitting the Log Off button. You may continue making requests, as long as the first request after the security stamp expires is the one with the signoff payload.
Components:
  • ASP.Net Identity Owin 2.1.0
  • ASP.Net Identity Core 2.1.0
  • Microsoft.Owin 3.0.0
  • Microsoft.Owin.Security 3.0.0
  • Microsoft.Owin.Security.Cookies 3.0.0
  • Microsoft ASP.NET MVC 5.2.2
  • Microsoft ASP.NET Web Pages 3.2.2
Closed Nov 19, 2014 at 5:43 PM by Tratcher

comments

Tratcher wrote Oct 3, 2014 at 12:16 AM

Have you tried this on v3.0.0? There have been some improvements here.

tiritas wrote Oct 3, 2014 at 12:42 AM

Tracher: Are you referring to Asp.Net Identity 3.0.0 Alpha 3? The answer is no. This is a production project and I can't use unreleased components.

tiritas wrote Oct 3, 2014 at 1:04 AM

Oops, sorry. I just realized that I am actually using v3 of the Owin components. I originally posted incorrect version information, because I got it from the empty project I created to verify that this issue is not caused by something I'm doing wrong in my own project. I just updated the component versions to the ones I'm using on my actual project.

Tratcher wrote Oct 3, 2014 at 5:32 PM

Ok, it sounds like you're hitting a known issue where an explicit sign-in is preferred over a generic sign-out (no-params). If you change your app to call SignOut with the AuthenticationType of the cookie middleware, that should override the explicit sign-in.

tiritas wrote Oct 3, 2014 at 6:45 PM

I have two projects -- both built with the default VS 2013 Update 3 project templates. One still uses the OWIN 2.1 components, while in the other the components have been updated to the 3.0.0 components.

I modified the AccountController.LogOff action in both projects to specify the authentication type, as follows:

AuthenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie, DefaultAuthenticationTypes.ExternalCookie);

Signout still fails in the project with the old components, but works fine in the project with the 3.0.0 versions.

Thanks for your help.