当前位置: 动力学知识库 > 问答 > 编程问答 >

c# - OWIN authentication, expire current token and remove cookie

问题描述:

I have a OWIN Middleware for authentication. We have two type of authentication in place.

First type is bearer token using the following configuration

var OAuthOptions = new OAuthAuthorizationServerOptions

{

AuthenticationType = DefaultAuthenticationTypes.ExternalBearer,

TokenEndpointPath = new PathString("/Token"),

Provider = new ApplicationOAuthProvider(PublicClientId),

AccessTokenExpireTimeSpan = TimeSpan.FromDays(14),

AllowInsecureHttp = true,

AccessTokenFormat = new SecureTokenFormatter(GetMachineKey())

};

And second type use authentication cookie for external Login

app.UseCookieAuthentication(new CookieAuthenticationOptions

{

AuthenticationType = DefaultAuthenticationTypes.ExternalCookie,

AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Passive,

CookieHttpOnly = true,

CookieSecure = CookieSecureOption.SameAsRequest,

CookieName = ".AspNet." + DefaultAuthenticationTypes.ExternalCookie,

ExpireTimeSpan = TimeSpan.FromMinutes(5),

TicketDataFormat = new SecureTokenFormatter(GetMachineKey())

});

When the User Logout, we actually issue two Logout

Request.GetOwinContext().Authentication.SignOut(DefaultAuthenticationTypes.ExternalCookie);

And

Request.GetOwinContext().Authentication.SignOut(DefaultAuthenticationTypes.ExternalBearer);

With the first one, I am expecting to see the .AspNet.ExternalCookie Cookie deleted from the Browser, which is not.

With the second one, I am expecting to get my Token invalidated and The User.Current.Identity = null, which is not.

So how I can

1) Physically logout the current Identity for the current Session?

2) Remove the external Cookie from the Browser?

网友答案:

I had the same issue you had and after 3 days of searching I found the asnwer(sort of...).

Try ONE(and only one) of these code lines in your log out. (they all worked for me, but and I'm using the first one, but the more examples the better, right??)

Request.GetOwinContext().Authentication.SignOut();

Request.GetOwinContext().Authentication.SignOut(Microsoft.AspNet.Identity.DefaultAuthenticationTypes.ApplicationCookie);

HttpContext.Current.GetOwinContext().Authentication.SignOut(Microsoft.AspNet.Identity.DefaultAuthenticationTypes.ApplicationCookie);

The problem is well described in this article, but it does not provide a working fix(at least for me it didn't) http://coding.abel.nu/2014/11/catching-the-system-webowin-cookie-monster/

分享给朋友:
您可能感兴趣的文章:
随机阅读: