I have a OWIN Middleware for authentication. We have two type of authentication in place.
First type is bearer token using the following configuration
var OAuthOptions = new OAuthAuthorizationServerOptions
AuthenticationType = DefaultAuthenticationTypes.ExternalBearer,
TokenEndpointPath = new PathString("/Token"),
Provider = new ApplicationOAuthProvider(PublicClientId),
AccessTokenExpireTimeSpan = TimeSpan.FromDays(14),
AllowInsecureHttp = true,
AccessTokenFormat = new SecureTokenFormatter(GetMachineKey())
And second type use authentication cookie for external Login
AuthenticationType = DefaultAuthenticationTypes.ExternalCookie,
AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Passive,
CookieHttpOnly = true,
CookieSecure = CookieSecureOption.SameAsRequest,
CookieName = ".AspNet." + DefaultAuthenticationTypes.ExternalCookie,
ExpireTimeSpan = TimeSpan.FromMinutes(5),
TicketDataFormat = new SecureTokenFormatter(GetMachineKey())
When the User Logout, we actually issue two Logout
With the first one, I am expecting to see the .AspNet.ExternalCookie Cookie deleted from the Browser, which is not.
With the second one, I am expecting to get my Token invalidated and The User.Current.Identity = null, which is not.
So how I can
1) Physically logout the current Identity for the current Session?
2) Remove the external Cookie from the Browser?
I had the same issue you had and after 3 days of searching I found the asnwer(sort of...).
Try ONE(and only one) of these code lines in your log out. (they all worked for me, but and I'm using the first one, but the more examples the better, right??)
Request.GetOwinContext().Authentication.SignOut(); Request.GetOwinContext().Authentication.SignOut(Microsoft.AspNet.Identity.DefaultAuthenticationTypes.ApplicationCookie); HttpContext.Current.GetOwinContext().Authentication.SignOut(Microsoft.AspNet.Identity.DefaultAuthenticationTypes.ApplicationCookie);
The problem is well described in this article, but it does not provide a working fix(at least for me it didn't) http://coding.abel.nu/2014/11/catching-the-system-webowin-cookie-monster/