Is there a way to clear server side OWIN / authentication data?

Question

After a recent security scan, the info sec team said they do not like the fact they can save the .AspNet.ApplicationCookie value, and use it again afterwards allowing the user access to the site.

After reading around, I understand this is standard behaviour but I have to find a way of completely killing a session upon signing the user out.

My understanding is a little thin here so my searching is bringing up very little. Is there a way of going about this?

Answer 1

A late reply, but for those that come across this:

We handled this by adding a custom attribute that validates a thumbprint. We use the attribute for any page behind a login.

The following is a rough example of how this is achieved.

The thumbprint is created at sign in and added to cache:

    private void OwinSignIn(tblUser user)
    {
        var thumbPrint = Guid.NewGuid();
        var claims = new List<Claim>
        {
            ....
            new Claim(ClaimTypes.Thumbprint, thumbPrint.ToString())
        };


        MemoryCache.Default.Set(thumbPrint.ToString(), true, new CacheItemPolicy() { AbsoluteExpiration = DateTimeOffset.Now.AddMinutes(60) });
}

The attribute then looks for this thumbprint and acts accordingly:

public class ValidateThumbprint : FilterAttribute, IAuthorizationFilter
{
    public void OnAuthorization(AuthorizationContext filterContext)

    var identity = (ClaimsIdentity)filterContext.HttpContext.User.Identity;
    var thumbPrint = identity.Claims?.Where(s => s.Type == ClaimTypes.Thumbprint).First().Value;

    if (thumbPrint != null)
    {
        if (MemoryCache.Default.Contains(thumbPrint))
        {
            return;
        }
    }
        // handle invalid thumbprint
}

I am not sure if this is the best way and most secure way, but it does prevent saving and reusing the cookie after logging out.