My site uses ASP.Net MVC 5.2.2 and ASP.Net Identity 2.1.0. In CookieAuthenticationOptions I set the ExpireTimeSpan to 30 minutes and the security stamp validation interval is set to 2 minutes (so that users will be booted out within two minutes of a call
to UserManager.UpdateSecurityStampAsync).
The problem is that if users remain idle for longer than 2 minutes and then click on the Sign Out button, the site fails to log them off. After a bit of sleuthing, I found that in these cases the server returns a new application cookie (the cookie sent to
the server was different than the one returned from it). What seems to be happening is that the owin code misses the call to AuthenticationManager.SignOut and goes ahead with the generation of a new application cookie, as it normally would have in cases where
the old one is more than two minutes old.
Has anybody else encountered this issue? Any suggestions on how to diagnose and fix?
Hi tiritas,
Thanks for your post.
You can try set AuthenticationMode
like this
AuthenticationMode = AuthenticationMode.Active
More information:
http://stackoverflow.com/questions/21275399/login-page-on-different-domain
What is ASP.NET Identity’s IUserSecurityStampStore<TUser> interface?
Hope it can be helpful.
Best Regards,
Eileen
I tried using AuthenticationMode = AuthenticationMode.Active in my application options for cookie authentication, but the problem remains. Here’s my setup:
app.CreatePerOwinContext(ApplicationDbContext.Create);
app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
app.CreatePerOwinContext<ApplicationSignInManager>(ApplicationSignInManager.Create);
// Enable the application to use a cookie to store information for the signed in user
// and to use a cookie to temporarily store information about a user logging in with a third party login provider
// Configure the sign in cookie
app.UseCookieAuthentication(new CookieAuthenticationOptions {
AuthenticationMode = AuthenticationMode.Active,
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login"),
ExpireTimeSpan = TimeSpan.FromMinutes(Settings.Default.LoginExpirationMinutes),
Provider = new CookieAuthenticationProvider {
// Enables the application to validate the security stamp when the user logs in.
// This is a security feature which is used when you change a password or add an external login to your account.
OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser, int>(
validateInterval: TimeSpan.FromMinutes(2),
regenerateIdentityCallback: (manager, user) => user.GenerateUserIdentityAsync(manager),
getUserIdCallback:id=>(id.GetUserId<int>()))
}
});
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
Any other suggestions?
Hi tiritas,
Thanks for your post.
Have you installed VS 2013 Update 3?because
ASP.NET Identity 2.1 is included in the ASP.NET templates which were released with
VS 2013 Update 3.
More information:
#Announcing RTM of ASP.NET Identity 2.1.0
http://blogs.msdn.com/b/webdev/archive/2014/08/05/announcing-rtm-of-asp-net-identity-2-1-0.aspx
Hope this can be helpful.
Best Regards,
Eileen
Yes, I did install VS 2013 Update 3.
As an experiment, I created a brand new ASP.NET Web Application project with the VS 2013 Update 3 templates and noticed the exact same issue: I logged in and then waited for an amount of time equal to the security stamp validateInterval (by default, 30 minutes).
After than I clicked the Log Off link and noticed that, just like in my own project, I was not logged out. I had to click the link a second time to be logged out. In fact, I didn’t even need to sit idle for 30 minutes: I could keep making requests during that
period and the click to the log out button would still fail, as long as it was the first request after the 30-minute interval expired.
This seems to be a bug in the OWIN identity code. Basically, if the first request after the validation interval is a signout request, it fails, because the code that validates and issues a new security stamp does not check if the user has logged out as part
of the same request. Log out requests will fail, as long as they are part of a request that would cause the re-issuance of the security stamp — i.e. the first request that is after validationInterval minutes since issuance of the previous security stamp.
I would appreciate it if somebody could confirm this behavior. You don’t have to wait 30 minutes and do not have to create a new project. Just take an existing project that uses Identity, temporarily set the validation interval to something really short
(30 seconds or a minute), log in, and ensure that the first request after the interval expires is a click on the Logout button. If this is a bug, you should notice that you are still logged in.
This seems to be a bug,
http://stackoverflow.com/questions/25824242/signout-is-not-working-when-calling-after-passwordsignin
I reported the bug on the Katana Codeplex site: