Hi,
We are using ServiceStack 8.8 with ASP.Net Core 9.0.7
Hopefully something simple we are missing.
Trying to configure IdentityAuth and ensure that session cookies are deleted after logout.
We are using the ServiceStack Typescript client v 2.1.11 and then an Authenticate with provider ‘credentials’ to login and then sending an Authenticate with provider ‘logout’ to logout.
The steps are:
- Login using credentials auth.
- Send a request to a service decorated with the [Authenticate] attribute
- Logout
- Resend the request with the same cookie etc.
I would expect step 4 to fail as unauthorised but it returns a 200 and data
We added some logging on AuthFeature OnLogoutAsync including the session.IsAuthenticated. When I check the log file IsAuthenticated is still showing as true.
What do we need to change so the session is deleted on logout and the repeated request fails?
Thanks
In Configure.Auth
var authFeature = new AuthFeature( IdentityAuth.For<ApplicationUser>( options =>
{
options.CredentialsAuth();
options.SessionFactory = () => new CustomUserSession();
} ) )
{
DeleteSessionCookiesOnLogout = true
};
authFeature.OnLogoutAsync.Add( async request =>
{
var session = await request.GetSessionAsync();
// Log request details - e.g. user info, IP address, logout time
var userAuthName = session.UserAuthName;
var ipAddress = request.UserHostAddress;
var logoutTime = DateTime.Now;
var isAuthenticated = session.IsAuthenticated;
Log.Information( "User: {UserAuthName} logged out from IP: {IpAddress} at {LogoutTime:yyyy-MM-dd HH:mm:ss}. Is authenticated: {IsAuthenticated}", userAuthName, ipAddress, logoutTime, isAuthenticated );
} );
services.AddPlugin( authFeature );
services.AddAuthorization();
services.AddAuthentication();