IdentityAuth AuthFeature DeleteSessionCookiesOnLogout

Hi,

We are using ServiceStack 8.8 with ASP.Net Core 9.0.7

Hopefully something simple we are missing.

Trying to configure IdentityAuth and ensure that session cookies are deleted after logout.

We are using the ServiceStack Typescript client v 2.1.11 and then an Authenticate with provider ‘credentials’ to login and then sending an Authenticate with provider ‘logout’ to logout.

The steps are:

  1. Login using credentials auth.
  2. Send a request to a service decorated with the [Authenticate] attribute
  3. Logout
  4. Resend the request with the same cookie etc.

I would expect step 4 to fail as unauthorised but it returns a 200 and data

We added some logging on AuthFeature OnLogoutAsync including the session.IsAuthenticated. When I check the log file IsAuthenticated is still showing as true.

What do we need to change so the session is deleted on logout and the repeated request fails?

Thanks

In Configure.Auth

var authFeature = new AuthFeature( IdentityAuth.For<ApplicationUser>( options =>
{
    options.CredentialsAuth();
    options.SessionFactory = () => new CustomUserSession();
} ) )
{
    DeleteSessionCookiesOnLogout = true
};

authFeature.OnLogoutAsync.Add( async request =>
{
    var session = await request.GetSessionAsync();

    // Log request details - e.g. user info, IP address, logout time
    var userAuthName = session.UserAuthName;
    var ipAddress = request.UserHostAddress;
    var logoutTime = DateTime.Now;
    var isAuthenticated = session.IsAuthenticated;
    Log.Information( "User: {UserAuthName} logged out from IP: {IpAddress} at {LogoutTime:yyyy-MM-dd HH:mm:ss}. Is authenticated: {IsAuthenticated}", userAuthName, ipAddress, logoutTime, isAuthenticated );

} );

 services.AddPlugin( authFeature );

 services.AddAuthorization();
 services.AddAuthentication();

If you’re using the default Identity Auth Application Cookie, it works like JWTs where there is no “Server Session”, i.e. the stateless session is encapsulated within the .AspNetCore.Identity.Application cookie itself.

Signing out should remove the cookie, so subsequent requests wont have the cookie to be able to make Authenticated Requests, but you’ll still be able to make authenticated requests if you resend requests with the Authenticated cookie (just like JWT Cookies).

Thank you for the quick response.

Yes we are using the default Application Cookie and I hadn’t realised that they behaved like JWTs.

Will have to look at ways of changing it so repeated requests behave more like expected.