When I click on logout I am taken to util/logout.aspx however when I navigate back to the main page of our website I am still logged in and can access the CMS backend.
From what I can tell the cookie .AspNet.ApplicationCookie is not being deleted.
In our PageControllerBase.cs we have:
public ActionResult Logout()
Which when I compare it to the Alloy EpiServer demo appears to be identitical.
Where else do I need to look to check what could be the issue?
In case it is also relevant, we are using a custom login page:
public class CustomLoginController : Controller
private UISignInManager uiSignInManager = ServiceLocator.Current.GetInstance<UISignInManager>();
private UIUserProvider uiUserProvider = ServiceLocator.Current.GetInstance<UIUserProvider>();
public ActionResult Index()
public ActionResult LocalLogin(CustomLoginViewModel model)
bool result = uiSignInManager.SignIn(uiUserProvider.Name, model.Username, model.Password);
ModelState.AddModelError("LoginError", "Login failed");
return View(Global.CustomLoginView, model);
Which browsers does this happen in? Chrome 80+?
From what I have tested so far this is happening in Chrome 84, Edge 84, Firefox (Extended Support Release) 68, Internet Explorer 11.
Do your cookie have a Secure flag? And do the "cookie deletion" (when deleting a cookie the server sends the same cookie name, but with an old expiration date) also feature a Secure flag?
Thank you for the info.
From what I can tell, we are not using any custom logout or cookie deletion script. So I assume we are using episerver defaults?
Yes, that you would be the Episerver defaults which in turn relies on the OWIN cookie authentication middleware.
Do you use HTTPS or HTTP when it doesn't work? And can you find and show me the Set-Cookie response header from the log-out page request?
Try to remove forcefully cookies from the browser on signout action and pass the cookie name into remove method as below:
public ActionResult Logout()
var uiSignInManager = ServiceLocator.Current.GetInstance<UISignInManager>();
Thank you for the suggestion. This was actually one of the first things I tried, I tried it again with your syntax and again it had no effect. However it just occured to me to set a breakpoint in Visual Studio while running the app locally on my pc and upon trying to sign out of EpiServer the breakpoint was never triggered. Where else could there be a signout action? Where is it common to place this signout action in episerver?
So when I click on log out in the drop down menu, I am taken to ../Util/logout.aspx
Here is the set-cookie from the response header of that page:
content-type: text/html; charset=utf-8
date: Thu, 20 Aug 2020 10:29:57 GMT
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
set-cookie: __epiXSRF=QBY3NoddYh7udKJiNLExnx2gl8RQgIMyy9NoexL4k04=; path=/; secure; HttpOnly
strict-transport-security: max-age=15552000; includeSubDomains; preload
The Upcoming SameSite Cookie has been changed in ASP.NET and ASP.NET Core according to this article, so try with different way:
Ensure that ASP.NET_SessionId cookie has "secure" flag set to "true" explicitly
<httpCookies httpOnlyCookies="true" requireSSL="true" sameSite="strict" />
Remove cookies forcefully.
HttpCookie Cookie = HttpContext.Current.Request.Cookies[cookieName];
if (Cookie != null)
Cookie.Secure = true;
Cookie.Expires = DateTime.Now.AddDays(-1);
First of all, the code you implemented in your PageControllerBase class, will not be hit from /util/logout.aspx. The logic is more or less the same, as both are calling the same service. But you won't see your breakpoint being hit.
Second. I was asking for browser version etc. because Chrome (and the others) have made some big changes to cookie security.
To make sure a SameSite mode is being transmitted when deleting the cookie, you can try these steps:
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
CookieManager = new SameSiteCookieManager(new CookieManager())
// ... Rest follows here.
Let us know whether this works or not. If not, there are other things to try.