Logout not working, .AspNet.ApplicationCookie is not being deleted


When I click on logout I am taken to util/logout.aspx however when I navigate back to the main page of our website I am still logged in and can access the CMS backend.

From what I can tell the cookie .AspNet.ApplicationCookie is not being deleted.

In our PageControllerBase.cs we have:

        public ActionResult Logout()
            return RedirectToAction("Index");

Which when I compare it to the Alloy EpiServer demo appears to be identitical.

Where else do I need to look to check what could be the issue?

In case it is also relevant, we are using a custom login page:

namespace Project.Site.Controllers
    public class CustomLoginController : Controller
        private UISignInManager uiSignInManager = ServiceLocator.Current.GetInstance<UISignInManager>();
        private UIUserProvider uiUserProvider = ServiceLocator.Current.GetInstance<UIUserProvider>();

        public ActionResult Index()
            return View(Global.CustomLoginView);

        public ActionResult LocalLogin(CustomLoginViewModel model)
            if (ModelState.IsValid)

                bool result = uiSignInManager.SignIn(uiUserProvider.Name, model.Username, model.Password);

                if (result)
                     return Redirect(UrlResolver.Current.GetUrl(ContentReference.StartPage));

            ModelState.AddModelError("LoginError", "Login failed");

            return View(Global.CustomLoginView, model);

Edited, Aug 14, 2020 6:55

Which browsers does this happen in? Chrome 80+?

Edited, Aug 16, 2020 15:30

From what I have tested so far this is happening in Chrome 84, Edge 84, Firefox (Extended Support Release) 68, Internet Explorer 11.

Aug 17, 2020 7:05

Do your cookie have a Secure flag? And do the "cookie deletion" (when deleting a cookie the server sends the same cookie name, but with an old expiration date) also feature a Secure flag?

Aug 17, 2020 18:39

Thank you for the info.

From what I can tell, we are not using any custom logout or cookie deletion script. So I assume we are using episerver defaults?

Aug 18, 2020 8:45

Yes, that you would be the Episerver defaults which in turn relies on the OWIN cookie authentication middleware.

Do you use HTTPS or HTTP when it doesn't work? And can you find and show me the Set-Cookie response header from the log-out page request?

Aug 18, 2020 15:39

Try to remove forcefully cookies from the browser on signout action and pass the cookie name into remove method as below:

public ActionResult Logout()
   var uiSignInManager = ServiceLocator.Current.GetInstance<UISignInManager>();  
   return RedirectToAction("Index");
Aug 20, 2020 3:20

Thank you for the suggestion. This was actually one of the first things I tried, I tried it again with your syntax and again it had no effect. However it just occured to me to set a breakpoint in Visual Studio while running the app locally on my pc and upon trying to sign out of EpiServer the breakpoint was never triggered. Where else could there be a signout action? Where is it common to place this signout action in episerver?

Aug 20, 2020 9:14
Stefan Holm Olsen - Aug 20, 2020 9:38
Also, this would just be removing the symptom. Not fixing the issue.
EpiNewbie - Aug 20, 2020 9:39
Yes true
Stefan Holm Olsen - Aug 20, 2020 10:12
If you could provide a sample of the header value, then I can diagnose further.
EpiNewbie - Aug 20, 2020 10:34
Done below

So when I click on log out in the drop down menu, I am taken to ../Util/logout.aspx

Here is the set-cookie from the response header of that page:

access-control-expose-headers: Request-Context
cache-control: no-cache
cf-cache-status: DYNAMIC
cf-ray: 5c5b34530ee4cb98
cf-request-id: 04ad03d3e20fgyfgyfg0200000001
content-encoding: gzip
content-length: 2599
content-type: text/html; charset=utf-8
date: Thu, 20 Aug 2020 10:29:57 GMT
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
expires: -1
pragma: no-cache
request-context: appId=cid-v1:dfgyfdg5-1650-4750-81d0-yfgyfgyfgf
server: cloudflare
set-cookie: __epiXSRF=QBY3NoddYh7udKJiNLExnx2gl8RQgIMyy9NoexL4k04=; path=/; secure; HttpOnly
status: 200
strict-transport-security: max-age=15552000; includeSubDomains; preload
vary: Accept-Encoding
x-aspnet-version: 4.0.30319
x-content-type-options: nosniff
X-DNS-Prefetch-Control: off
x-powered-by: ASP.NET
Edited, Aug 20, 2020 10:36
Stefan Holm Olsen - Aug 20, 2020 10:57
Can you confirm that you are using ASP.Net Identity and OWIN?

The Upcoming SameSite Cookie has been changed in ASP.NET and ASP.NET Core according to this article, so try with different way:

Ensure that ASP.NET_SessionId cookie has "secure" flag set to "true" explicitly

    <httpCookies httpOnlyCookies="true" requireSSL="true" sameSite="strict" />

Remove cookies forcefully.

HttpCookie Cookie = HttpContext.Current.Request.Cookies[cookieName];
if (Cookie != null)
    Cookie.Secure = true;
    Cookie.Expires = DateTime.Now.AddDays(-1);
Aug 20, 2020 14:43

Hi epiNewbie

First of all, the code you implemented in your PageControllerBase class, will not be hit from /util/logout.aspx. The logic is more or less the same, as both are calling the same service. But you won't see your breakpoint being hit.

Second. I was asking for browser version etc. because Chrome (and the others) have made some big changes to cookie security.

To make sure a SameSite mode is being transmitted when deleting the cookie, you can try these steps:

  1. Make sure the project is on .Net Framework 4.7.2
  2. Copy the SameSiteCookieManager class from this documentation page.
  3. Upgrade all NuGet packages, which starts with "Microsoft.Owin" to version 4.1.0 or higher (if available).
  4. Merge in the CookieManager property from below code sample into your Startup.cs file.
app.UseCookieAuthentication(new CookieAuthenticationOptions
    AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
    CookieManager = new SameSiteCookieManager(new CookieManager())
    // ... Rest follows here.

Let us know whether this works or not. If not, there are other things to try.

Aug 20, 2020 15:49
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.