Umbraco member logout doesn't invalidate the cookie
Hi,
I'm trying to make sure that the .AspNetCore.Identity.Application cookie gets invalidated on Umbraco frontend member logout.
I'm using IMemberSignInManager.SignOutAsync() to sign out a member on click of logout button. This method updates the security stamp which I could verify in the database as well. Also, I could verify that the security stamp is part of the user's identity claims. However, this is not invalidating the cookie. When I use the same cookie which got generated on login after I logout in a postman call to the application, I can still access the content which is accessible only to logged in users.
Thanks for help. But my problem is slightly different. This solution is going to clear the cookies from the browser but doesn't invalidate the cookie on the server. What I'm looking for is
Step 1: Login to Umbraco frontend
Step 2: Copy the cookie from the browser when logged in
Step 3: Hit the application with this cookie from Postman or any similar tool. This returns the user information (I've an endpoint which returns the user info based on cookie received. If the cookie is not valid, it returns anonymous user)
Step 4: Logout of Umbraco frontend (this is currently clearing the cookie, so the user is not logged in to website on browser and it expects the credentials again)
Step 5: Hit the application (the same endpoint used in step 3) with the same cookie that we got from step 2 using Postman or similar. I want the cookie to have been invalidated and this endpoint return me 'Anonymous user', however, it still returns me the user information as the cookie is still valid
How can I make sure that the cookies is not valid anymore when used in step 5?
I just rolled my own token store and added that a secondary layer of auth, worked pretty easily and persisted tokens to the database so I could clear out all of a users sessions on logout or password change.
Umbraco member logout doesn't invalidate the cookie
Hi,
I'm trying to make sure that the
.AspNetCore.Identity.Applicationcookie gets invalidated on Umbraco frontend member logout.I'm using
IMemberSignInManager.SignOutAsync()to sign out a member on click of logout button. This method updates the security stamp which I could verify in the database as well. Also, I could verify that the security stamp is part of the user's identity claims. However, this is not invalidating the cookie. When I use the same cookie which got generated on login after I logout in a postman call to the application, I can still access the content which is accessible only to logged in users.Any help on this is greatly appreciated. Thanks!
After a pen test I added the following to go full nuclear on cookies on sign out - perhaps this is useful to you.
NOTE - this also boots any signed in users out of Umbraco, it also killed our cart cookie and sessions etc
Thanks for help. But my problem is slightly different. This solution is going to clear the cookies from the browser but doesn't invalidate the cookie on the server. What I'm looking for is
Step 1: Login to Umbraco frontend
Step 2: Copy the cookie from the browser when logged in
Step 3: Hit the application with this cookie from Postman or any similar tool. This returns the user information (I've an endpoint which returns the user info based on cookie received. If the cookie is not valid, it returns anonymous user)
Step 4: Logout of Umbraco frontend (this is currently clearing the cookie, so the user is not logged in to website on browser and it expects the credentials again)
Step 5: Hit the application (the same endpoint used in step 3) with the same cookie that we got from step 2 using Postman or similar. I want the cookie to have been invalidated and this endpoint return me 'Anonymous user', however, it still returns me the user information as the cookie is still valid
How can I make sure that the cookies is not valid anymore when used in step 5?
Did you ever get a solution for this?
We received a 'low' issue regarding this on our pen test but the client wants it resolved.
No. Still looking for a solution.
I just rolled my own token store and added that a secondary layer of auth, worked pretty easily and persisted tokens to the database so I could clear out all of a users sessions on logout or password change.
is working on a reply...