Output cache can cause access denied when logging out and using ASP.NET Identity

Found in

EPiServer.CMS.Core 7.0.586.0

Fixed in

EPiServer.CMS.Core 11.9.1

Created

May 31, 2018

Updated

Jun 22, 2018

Area

CMS Core

State

Closed, Fixed and tested


Description

Steps to reproduce

  1. Create a new MVC site.
  2. Enable output cache by setting httpCacheExpiration="1:0:0" on applicationSettings in the web.config file.
  3. Add [ContentOutputCache] to StartPageController.
  4. View the start page without logging in.
  5. Log in and view the start page (notice cookie KeepLoggedOnUser).
  6. Log out.

Expected:
You can access the start page.

Actual:
Not possible to access start page, you get a login window.

Workaround: Setting the "uiKeepUserLoggedOn" attribute to "false" on applicationSettings in web.config disables this functionality. This feature was meant for classic Windows Authentication and should not be enabled for Forms authentication and ASP.NET Identity authentication.