OWIN - Authentication.SignOut() 似乎没有删除 cookie [英] OWIN - Authentication.SignOut() doesn't seem to remove the cookie

问题描述

我在使用 OWIN Cookie 身份验证时遇到了一些问题.我有一个 .Net 站点，其中有一些 MVC 页面，这些页面使用 cookie 身份验证和受不记名令牌保护的 WebAPI 资源.

I'm having some issues with OWIN Cookie authentication. I have a .Net site that has some MVC pages which uses cookie authentication and WebAPI resources protected by a bearer token.

当我注销时，我删除了客户端上的访问令牌，因此后续 API 请求将不会在标头中包含令牌，从而导致身份验证失败.这部分很好.

When I log out, I delete the access token on the client, so subsequent API requests will not have the token in the header and will thus fail the authentication. This part is fine.

以同样的方式，我也希望注销以删除 MVC 页面使用的 cookie.我在服务器上做了以下事情:

In the same manner, I would also like the log out to delete the cookie used by the MVC pages. I did the following on the server:

    [Route("Logout")]
    public IHttpActionResult Logout()
    {
        var ctx = Request.GetOwinContext();
        var authenticationManager = ctx.Authentication;
        authenticationManager.SignOut();
        return Ok();
    }

但是，在调用 Logout 之后，即使 cookie 应该被 Logout 调用删除，我仍然可以访问受保护的 MVC 页面.

However, after the calling Logout, I can still visit the protected MVC page even though the cookie would have supposedly been deleted by the Logout call.

看起来很简单，所以我可能漏掉了一些东西.

It seems so simple, so I might have missed something.

谢谢，

推荐答案

过去几天我遇到了类似的问题.而不是

I had a similar problem for the past few days. Instead of

Request.GetOwinContext().Authentication.authenticationManager.SignOut();

使用其中一个(且仅一个):

Use ONE(and only one) of these:

Request.GetOwinContext().Authentication.SignOut();

Request.GetOwinContext().Authentication.SignOut(Microsoft.AspNet.Identity.DefaultAuthenticationTypes.ApplicationCookie);

HttpContext.Current.GetOwinContext().Authentication.SignOut(Microsoft.AspNet.Identity.DefaultAuthenticationTypes.ApplicationCookie);

这篇文章解释了为什么您的 cookie 不会被删除:https://dzone.com/articles/cating-systemwebowin-cookie

This article explains why your cookies don't get deleted: https://dzone.com/articles/catching-systemwebowin-cookie

我知道我的答案不是最基于研究的，但说实话，我就是找不到为什么我提供的代码示例对我有用.我只知道如果您以另一种方式执行 SignOut()，System.Web 会弄乱 Owins cookie.

I know my answer isn't the most research-based, but to tell you the truth, I just couldn't find WHY my provided code examples work for me. I just know that System.Web messes up Owins cookies if you do SignOut() another way.

这篇关于OWIN - Authentication.SignOut() 似乎没有删除 cookie的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！