发表新帖
发表新帖

Can't logoff identity MVC 5 (sometimes)

前端 未结
关注
2 701
醉话见心
醉话见心 2021-01-24 00:12

Our website sometimes decides you can\'t log out, most of the time it works. Below are the basic guts of the matter. I have seen this problem with Chrome and IE on remote serv

相关标签:
2条回答
  • 南方客
    2021-01-24 00:26

    I had the same problem with not being able to log off after some time using ASP.NET MVC 5 and Google Chrome and has just found the solution in the post: ASP.Net MVC 5 w/identity 2.2.0 Log off not working. The problem has been solved for now, but I will need to test it for some more time because it is intermittent issue. There are people in this post who confirm their issue is also resolved. So, give it a try!

    0 讨论(0)
  • 渐次进展
    2021-01-24 00:40

    I think I know what the problem is here - although I'm not sure how to fix it, such is the mess of documentation for asp.net identity sometimes ;(

    I had exactly the same symptoms. The key issue is, do you use a SecurityStampValidator that verifies and recreates (if needed) your cookie?

    I do, and mine is set to validate very frequently (from my Startup.auth):

    Provider = new CookieAuthenticationProvider
{
    // Enables the application to validate the security stamp when the user logs in.
    // This is a security feature which is used when you change a password or add an external login to your account.  
    OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, User, int>(
        validateInterval: TimeSpan.FromMinutes(1), 
        regenerateIdentityCallback: (manager, user) =>
        {
            return user.GenerateUserIdentityAsync(manager);
        },
        getUserIdCallback: id => (int.Parse(id.GetUserId()))
        ),
},

    So assuming that you have similar code - how do you recreate. Simple - log in, hit a page on your app, then wait for the defined validateInterval to lapse - so for me, wait 1 minue. After 1 minute, log off. Boom. I'm not logged off.

    Now, the issue here is that the GenerateUserIdentiyAsync method RECREATES your auth cookie, right after the signout has happened. I've verified that with logging - the _authenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie); in my LogOff action is happening, and then the cookie gets regenerated. Doh.

    How to fix - well the obvious thing is to increase the validateInterval, but that impacts security - If someone is logged on to 2 computers, and changes their password, I'd like both accounts to be logged out pretty swiftly - which is what this does.

    So, that's (probably) the cause. Sorry I can't offer a nice fix :(

    0 讨论(0)
 看不清?
提交回复
热议问题