HttpContext.Authentication.SignOutAsync不会删除身份验证Cookie [英] HttpContext.Authentication.SignOutAsync does not delete auth cookie

问题描述

根据ASP.NET Core 文档方法HttpContext.Authentication.SignOutAsync()也必须删除身份验证cookie.

According to ASP.NET Core documentation the method HttpContext.Authentication.SignOutAsync() must delete the authentication cookie as well.

退出

要注销当前用户，并删除其cookie (斜体字-A.C.)，请在控制器内部调用以下命令

To sign out the current user, and delete their cookie (italics mine - A.C.) call the following inside your controller

await HttpContext.Authentication.SignOutAsync("MyCookieMiddlewareInstance");

但事实并非如此！一切似乎都还好，尤其是.身份验证方案，因为用户正确登录并且使用cookie .AspNetCore.已创建.

But it does not! Everything else seems okay, esp. auth scheme, because user gets signed-in correctly and the cookie .AspNetCore. is created.

有什么主意，为什么在用户发出提示后仍保留cookie?

Any ideas why cookie remains after the user's sing-out?

推荐答案

您没有发布足够多的代码来讲述，但是我怀疑在调用SignOutAsync之后，您具有某种类型的重定向(例如，RedirectToAction)会覆盖对SignOutAsync尝试发布的OIDC结束会话URL的重定向.

You didn't post enough code to tell, but I suspect after you call SignOutAsync you have some type of redirect (for example, RedirectToAction) which overwrites the redirect to the OIDC endsession URL that SignOutAsync tries to issue.

(对重定向覆盖问题的解释与此处由Microsoft的HaoK提供.)

(The same explanation for the redirect overwrite problem is given here by Microsoft's HaoK.)

如果我的上面的猜测是正确的，解决方案是在AuthenticationProperties对象中发送带有最终SignOutAsync的重定向URL:

If my speculation above is correct, the solution is to send a redirect URL in an AuthenticationProperties object with the final SignOutAsync:

// in some controller/handler, notice the "bare" Task return value
public async Task LogoutAction()
{
    // SomeOtherPage is where we redirect to after signout
    await MyCustomSignOut("/SomeOtherPage");
}

// probably in some utility service
public async Task MyCustomSignOut(string redirectUri)
{
    // inject the HttpContextAccessor to get "context"
    await context.SignOutAsync("Cookies");
    var prop = new AuthenticationProperties()
    {
        RedirectUri = redirectUri
    });
    // after signout this will redirect to your provided target
    await context.SignOutAsync("oidc", prop);
}

这篇关于HttpContext.Authentication.SignOutAsync不会删除身份验证Cookie的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！