I'm having some issues with OWIN Cookie authentication. I have a .Net site that has some MVC pages which uses cookie authentication and WebAPI resources protected by a bearer token.
When I log out, I delete the access token on the client, so subsequent API requests will not have the token in the header and will thus fail the authentication. This part is fine.
In the same manner, I would also like the log out to delete the cookie used by the MVC pages. I did the following on the server:
[Route("Logout")]
public IHttpActionResult Logout()
{
var ctx = Request.GetOwinContext();
var authenticationManager = ctx.Authentication;
authenticationManager.SignOut();
return Ok();
}
However, after the calling Logout, I can still visit the protected MVC page even though the cookie would have supposedly been deleted by the Logout call.
It seems so simple, so I might have missed something.
Thanks,
I had a similar problem for the past few days. Instead of
Request.GetOwinContext().Authentication.authenticationManager.SignOut();
Use ONE(and only one) of these:
Request.GetOwinContext().Authentication.SignOut();
Request.GetOwinContext().Authentication.SignOut(Microsoft.AspNet.Identity.DefaultAuthenticationTypes.ApplicationCookie);
HttpContext.Current.GetOwinContext().Authentication.SignOut(Microsoft.AspNet.Identity.DefaultAuthenticationTypes.ApplicationCookie);
This article explains why your cookies don't get deleted: https://dzone.com/articles/catching-systemwebowin-cookie
I know my answer isn't the most research-based, but to tell you the truth, I just couldn't find WHY my provided code examples work for me. I just know that System.Web messes up Owins cookies if you do SignOut() another way.