TechQA.

C# ASP.NET Form authentication cookie deletion from API request

37 views Asked by At

I have an ASP.NET web application where I used form based authentication. This will create a cookie in browser. Now there is a requirement where I need to logout based on API call and I had added a code in web page (say SignIn.aspx?logout=1) and used query string to clear the cookie.

When the above URL (http://localhost/SignIn.aspx?logout=1) is invoked from a browser, the cookie is deleted, but if the same URL is invoked as API from Postman, the cookie is not deleted.

This is my web.config file:

<authentication mode="Forms">
    <forms loginUrl="~/SignIn.aspx" timeout="60" protection="All" name=".cgrh"/>
</authentication>

Code I used to delete cookie (this works fine when invoked from browser):

FormsAuth = new FormsAuthenticationService();
FormsAuth.SignOut();

I know that cookie cannot be deleted, so we need to set the expiration date. Tried all these things, but could not able to delete the cookie from API call.

Also tried using the same cookie (.cgrh) from postman also so to make it as authenticated user, but still could not delete it.

Some code I tried to delete the cookie are as follows, but it does not work:

public static void RemoveCookie(string cookieName, string keyName, string domain)
{
    if (HttpContext.Current.Request.Cookies[cookieName] != null)
    {
        HttpCookie cookie = HttpContext.Current.Request.Cookies[cookieName];

        // SameSite.None Cookies won't be accepted by Google Chrome and other modern browsers if they're not secure, which would lead in a "non-deletion" bug.
        // in this specific scenario, we need to avoid emitting the SameSite attribute to ensure that the cookie will be deleted.
        if (cookie.SameSite == SameSiteMode.None && !cookie.Secure)
            cookie.SameSite = (SameSiteMode)(-1);

        if (String.IsNullOrEmpty(keyName))
        {
            cookie.Expires = DateTime.UtcNow.AddYears(-1);

            if (!String.IsNullOrEmpty(domain)) 
                cookie.Domain = domain;

            HttpContext.Current.Response.Cookies.Add(cookie);
            HttpContext.Current.Request.Cookies.Remove(cookieName);
        }
        else
        {
            cookie.Values.Remove(keyName);

            if (!String.IsNullOrEmpty(domain)) 
               cookie.Domain = domain;

            HttpContext.Current.Response.Cookies.Add(cookie);
        }
    }
}

public static void RemoveCookie(string key)
{
    // Encode key for retrieval and remove cookie
    var withBlock = HttpContext.Current;
    HttpCookie cookie = new HttpCookie(withBlock.Server.UrlEncode(key));

    if (cookie != null)
    {
        var withBlock1 = cookie;
        withBlock1.HttpOnly = true;
        withBlock1.Expires = new DateTime(1999, 10, 12);
        withBlock1.Domain = "";

        // Remove from server (has no effect on client)
        withBlock.Response.Cookies.Remove(withBlock.Server.UrlEncode(key));

        // Add expired cookie to client, effectively removing it
        withBlock.Response.Cookies.Add(cookie);
    }
}
c# asp.net authentication cookies
Original Q&A
0

There are 0 answers

Related Questions in C#

Related Questions in ASP.NET

Related Questions in AUTHENTICATION

Related Questions in COOKIES

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions