Aspnetcore: SignoutAsync doesn't fully signout

Created on 29 Dec 2018 · 10Comments · Source: dotnet/aspnetcore

I try to implement a cookie login and logout feature. My expectation is after user signout, page redirects to home page. However, after the redirect, the user logged back in. I found a similar issue solution from @HaoK. I tried the solution, however, it didn't redirect. And when the user accessed the home page, it logged back in.
I feel like asp.net core 2.0 should be able to support this signout+redirect scenario. If so, is there any official doc or example we could use as a reference.
Thank you very much.

My own code:

    [Route("signout")]
    [HttpPost]
    public async Task<IActionResult> SignOut()
    {
        await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
        return RedirectToAction("Index", "Home");
    }

Authentication service setup:

    public void ConfigureServices(IServiceCollection services)
    {
        services.AddMvc(options =>
        {
            options.Filters.Add(new RequireHttpsAttribute());

            var policy = new AuthorizationPolicyBuilder()
                             .RequireAuthenticatedUser()
                             .Build();
            options.Filters.Add(new AuthorizeFilter(policy));
        });
        services.AddAuthentication(options =>
        {
            options.DefaultChallengeScheme = FacebookDefaults.AuthenticationScheme;
            options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
            options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
        }).AddFacebook(options =>
        {
            options.AppId = Configuration["Authentication:Facebook:FacebookAuthenticationAppId"];
            options.AppSecret = Configuration["Authentication:Facebook:FacebookAuthenticationAppSecret"];
        }).AddCookie();

    }

A solution found from stackoverflow:

    [Route("signout")]
    [HttpPost]
    public async Task SignOut()
    {
        var prop = new AuthenticationProperties()
        {
            RedirectUri = "/"
        };
        await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
        await HttpContext.SignOutAsync("oidc", prop);
    }

Solution from @HaoK

    [Route("signout")]
    [HttpPost]
    public async Task SignOut()
    {
        await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
    }

area-security question

Source

cutePanda123

All 10 comments

When you say they're logged back in, do you mean they get bounced through facebook and it automatically authenticates them again?

blowdart on 3 Jan 2019

👍1

Unfortunately this is a limitation of Facebook's auth, which doesn't have a remote sign-out feature.

What's happening here is that when you sign out in your app, the ASP.NET Core cookie is getting deleted, but the Facebook auth cookie still exists. So, when you get redirected back to your app's home page, it requires auth, which sends you to Facebook, where you are still logged in, so Facebook returns back to the ASP.NET Core app and you're logged in again.

Eilon on 3 Jan 2019

👍1

Unfortunately this is a limitation of Facebook's auth, which doesn't have a remote sign-out feature.

What's happening here is that when you sign out in your app, the ASP.NET Core cookie is getting deleted, but the Facebook auth cookie still exists. So, when you get redirected back to your app's home page, it requires auth, which sends you to Facebook, where you are still logged in, so Facebook returns back to the ASP.NET Core app and you're logged in again.

Thank you, Eilon. Is there any workaround we could do to implement the remote sign-out for Facebook's auth? Could you share an example or a pointer?

cutePanda123 on 4 Jan 2019

@peterliUmich you might have an home page that doesn't require authentication, to avoid the auth dance

ilmax on 4 Jan 2019

Indeed, what @ilmax suggests is a common practice. Another common practice is to have a "good bye" page that is [AllowAnonymous] and you're sent there after logging out. There might be a link there to go back to the home page to log in again, contact support, etc.

Eilon on 4 Jan 2019

You can't implement remote sign-out for facebook yourself, that would involve having code hosted on the facebook domain.

blowdart on 4 Jan 2019

@peterliUmich you might have an home page that doesn't require authentication, to avoid the auth dance

Thank you for suggestions, @ilmax, and @Eilon. I tried your approach. The problem is that on the allow anonymous homepage when users click log in, they log in immediately. Ideally, they should see the dialog to add username and password first, instead of logging in automatically.
Apart from adding [AllowAnonymous] on the home index controller, do I need anything else?

cutePanda123 on 5 Jan 2019

@peterliUmich - if the user is logging in with Facebook and they already have an account registered on your app, they won't be asked for username/password because they're already logged in with Facebook.

@HaoK / @Tratcher - does that sound right to you? Or would any ASP.NET Core cookies still be present that would prevent "local login" in this scenario? (As in, I have a local user/pass and also registered with Facebook.)

Eilon on 7 Jan 2019

Right. You've set your app up to let Facebook handle the username and password. You don't get any say in how how they do it.

If you'd rather have local usernames and passwords then start with the Individual Auth template.