Logout not working, .AspNet.ApplicationCookie is not being deleted

Vote:
 

When I click on logout I am taken to util/logout.aspx however when I navigate back to the main page of our website I am still logged in and can access the CMS backend.

From what I can tell the cookie .AspNet.ApplicationCookie is not being deleted.

In our PageControllerBase.cs we have:

        public ActionResult Logout()
        {
            UISignInManager.Service.SignOut();
            return RedirectToAction("Index");
        }

Which when I compare it to the Alloy EpiServer demo appears to be identitical.

Where else do I need to look to check what could be the issue?

In case it is also relevant, we are using a custom login page:

namespace Project.Site.Controllers
{
    public class CustomLoginController : Controller
    {
        private UISignInManager uiSignInManager = ServiceLocator.Current.GetInstance<UISignInManager>();
        private UIUserProvider uiUserProvider = ServiceLocator.Current.GetInstance<UIUserProvider>();

        public ActionResult Index()
        {
            return View(Global.CustomLoginView);
        }

        [HttpPost]
        [AllowAnonymous]
        [ValidateAntiForgeryToken]
        [ValidateInput(false)]
        public ActionResult LocalLogin(CustomLoginViewModel model)
        {
            if (ModelState.IsValid)
            {

                bool result = uiSignInManager.SignIn(uiUserProvider.Name, model.Username, model.Password);

                if (result)
                {
                     return Redirect(UrlResolver.Current.GetUrl(ContentReference.StartPage));
                }
            }

            ModelState.AddModelError("LoginError", "Login failed");

            return View(Global.CustomLoginView, model);
        }

    }
}
#226511
Edited, Aug 14, 2020 6:55
Vote:
 

Which browsers does this happen in? Chrome 80+?

#226587
Edited, Aug 16, 2020 15:30
Vote:
 

From what I have tested so far this is happening in Chrome 84, Edge 84, Firefox (Extended Support Release) 68, Internet Explorer 11.

#226641
Aug 17, 2020 7:05
Vote:
 

Do your cookie have a Secure flag? And do the "cookie deletion" (when deleting a cookie the server sends the same cookie name, but with an old expiration date) also feature a Secure flag?

#226654
Aug 17, 2020 18:39
Vote:
 

Thank you for the info.

From what I can tell, we are not using any custom logout or cookie deletion script. So I assume we are using episerver defaults?

#226677
Aug 18, 2020 8:45
Vote:
 

Yes, that you would be the Episerver defaults which in turn relies on the OWIN cookie authentication middleware.

Do you use HTTPS or HTTP when it doesn't work? And can you find and show me the Set-Cookie response header from the log-out page request?

#226688
Aug 18, 2020 15:39
Vote:
 

Try to remove forcefully cookies from the browser on signout action and pass the cookie name into remove method as below:

public ActionResult Logout()
{
   var uiSignInManager = ServiceLocator.Current.GetInstance<UISignInManager>();  
   uiSignInManager.SignOut();
   
   HttpContext.Response.Cookies.Remove(".AspNetCore.Cookies");
   
   return RedirectToAction("Index");
}
#226769
Aug 20, 2020 3:20
Vote:
 

Thank you for the suggestion. This was actually one of the first things I tried, I tried it again with your syntax and again it had no effect. However it just occured to me to set a breakpoint in Visual Studio while running the app locally on my pc and upon trying to sign out of EpiServer the breakpoint was never triggered. Where else could there be a signout action? Where is it common to place this signout action in episerver?

#226785
Aug 20, 2020 9:14
Stefan Holm Olsen - Aug 20, 2020 9:38
Also, this would just be removing the symptom. Not fixing the issue.
EpiNewbie - Aug 20, 2020 9:39
Yes true
Stefan Holm Olsen - Aug 20, 2020 10:12
If you could provide a sample of the header value, then I can diagnose further.
EpiNewbie - Aug 20, 2020 10:34
Done below
Vote:
 

So when I click on log out in the drop down menu, I am taken to ../Util/logout.aspx

Here is the set-cookie from the response header of that page:

access-control-expose-headers: Request-Context
cache-control: no-cache
cf-cache-status: DYNAMIC
cf-ray: 5c5b34530ee4cb98
cf-request-id: 04ad03d3e20fgyfgyfg0200000001
content-encoding: gzip
content-length: 2599
content-type: text/html; charset=utf-8
date: Thu, 20 Aug 2020 10:29:57 GMT
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
expires: -1
pragma: no-cache
request-context: appId=cid-v1:dfgyfdg5-1650-4750-81d0-yfgyfgyfgf
server: cloudflare
set-cookie: __epiXSRF=QBY3NoddYh7udKJiNLExnx2gl8RQgIMyy9NoexL4k04=; path=/; secure; HttpOnly
status: 200
strict-transport-security: max-age=15552000; includeSubDomains; preload
vary: Accept-Encoding
x-aspnet-version: 4.0.30319
x-content-type-options: nosniff
X-DNS-Prefetch-Control: off
x-powered-by: ASP.NET
#226791
Edited, Aug 20, 2020 10:36
Stefan Holm Olsen - Aug 20, 2020 10:57
Can you confirm that you are using ASP.Net Identity and OWIN?
Vote:
 

The Upcoming SameSite Cookie has been changed in ASP.NET and ASP.NET Core according to this article, so try with different way:

Ensure that ASP.NET_SessionId cookie has "secure" flag set to "true" explicitly

<system.web>
    <httpCookies httpOnlyCookies="true" requireSSL="true" sameSite="strict" />
</system.web>

Remove cookies forcefully.

HttpCookie Cookie = HttpContext.Current.Request.Cookies[cookieName];
if (Cookie != null)
{
    Cookie.Secure = true;
    Cookie.Expires = DateTime.Now.AddDays(-1);
    HttpContext.Current.Response.Cookies.Add(Cookie);
}
#226797
Aug 20, 2020 14:43
EpiNewbie - Oct 16, 2020 9:37
Where would you suggest to place this forceful cookie removal?
Vote:
 

Hi epiNewbie

First of all, the code you implemented in your PageControllerBase class, will not be hit from /util/logout.aspx. The logic is more or less the same, as both are calling the same service. But you won't see your breakpoint being hit.

Second. I was asking for browser version etc. because Chrome (and the others) have made some big changes to cookie security.

To make sure a SameSite mode is being transmitted when deleting the cookie, you can try these steps:

  1. Make sure the project is on .Net Framework 4.7.2
  2. Copy the SameSiteCookieManager class from this documentation page.
  3. Upgrade all NuGet packages, which starts with "Microsoft.Owin" to version 4.1.0 or higher (if available).
  4. Merge in the CookieManager property from below code sample into your Startup.cs file.
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
    CookieManager = new SameSiteCookieManager(new CookieManager())
    // ... Rest follows here.
}

Let us know whether this works or not. If not, there are other things to try.

#226800
Aug 20, 2020 15:49
Vote:
 

Hi Stefan,

So I have changed the .NET version of our project from 4.6.1 to 4.7.2.

I have added the SameSiteCookieManager class from the documentation page but in this new class I get the following error in relation to: 

public SameSiteCookieManager() : this(new CookieManager())
        {
        }

The error is in reference to CookieManager() : "The type or namespace name 'CookieManager' could not be found (are you missing a using directive or assembly reference?)"

Any idea what could be the cause of this? (I am a relative newbie when it comes to C#).

#229422
Oct 14, 2020 12:20
EpiNewbie - Oct 14, 2020 18:32
Ignore this. After some more research I figured out that I had to update OWIN related packages. That fixed the problem.
Stefan Holm Olsen - Oct 15, 2020 15:45
Glad to hear that these fixes solved your issue.
EpiNewbie - Oct 16, 2020 7:58
Sorry I may have caused confusion. It did not fix the logout issue, it fixed the errors being displayed in Visual Studio when I copied over this class from the documentation website you shared earlier :-)
Stefan Holm Olsen - Oct 18, 2020 11:40
Did the new class change how the Set-Cookie response header looks when logging out?
Vote:
 

So quick question, I have been able to incorporate the SameSiteCookieManager Class to almost 99%. Currently I am getting an error in Visual Studio that DisallowsSameSiteNone is not recognized. I have not been able to find out yet which reference or package this requires to work. Any idea?

#229456
Oct 15, 2020 8:10
Vote:
 

How can I check that in fact the episerver logout script is firing? From that I could tell from searching the web /util/logout.aspx simply contains a page with a confirmation message that logout has been completed and offers a button to log in again. But that does not mean the episerver logout script is in fact firing in our case. However I cannot find anything related to a logout in our Visual Studio project execpt in Controllers/PageControllerBase.cs which as mentioned in a previous post here in the thread is not firing (breakpoint was not reached).

So is there anything I can test/check in episerver to see if default logout behaviour is working? I am assuming this is tucked away in somd dll correct?

Any other suggestions on what to try to fix this logout issue?

#229499
Oct 16, 2020 9:37
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.