[英]How do I invalidate an authentication cookie in ASP.NET Core?
I am having trouble invalidating an authentication cookie in ASP.NET Core 3.0.我在使 ASP.NET Core 3.0 中的身份验证 cookie 无效时遇到问题。
Scenario设想
I have a user who is logged into the website.我有一个登录网站的用户。 When they click the logout button it calls the following code:当他们单击注销按钮时,它会调用以下代码:
[HttpGet]
public async Task<IActionResult> Logout()
{
await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
HttpContext.Session.Clear();
return RedirectToAction("Index", "Home");
}
This successfully clears all the cookies in the browser, however, if I grab the value of the session cookie .AspNetCore.Cookies
prior to signing out, then add it back in on a future request, I am able to navigate to the pages which require user authentication.这成功地清除了浏览器中的所有 cookie,但是,如果我在.AspNetCore.Cookies
之前获取会话 cookie .AspNetCore.Cookies
的值,然后将其重新添加到以后的请求中,我就可以导航到需要的页面用户认证。
Anyone able to help with this?任何人都可以帮助解决这个问题?
Note: The original question was regarding how to clear user session but I have since realised that this is actually an issue regarding the cookie itself and not server-side session.注意:最初的问题是关于如何清除用户会话,但我后来意识到这实际上是关于 cookie 本身而不是服务器端会话的问题。
This is how I do my logout method:这是我如何执行我的注销方法:
/// <summary>
/// Do the logout
/// </summary>
/// <returns></returns>
[HttpPost]
[ValidateAntiForgeryToken]
public async Task Logout()
{
await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
await HttpContext.SignOutAsync(OpenIdConnectDefaults.AuthenticationScheme);
//Important, this method should never return anything.
}
The trick here is to have the method not returning anything, as the SignOut method will generate its own response internally to the browser.这里的技巧是让该方法不返回任何内容,因为 SignOut 方法将在内部为浏览器生成自己的响应。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.