How to Invalidate all Cookies in ASP.NET on Sign Out
Devin Manno 
June 16, 2015
Devin Manno June 16, 2015If you use OWIN Authentication Cookies with ASP.NET Identity, you might want to invalidate all cookies when the user signs out of your application. To do this, we simply need to get all cookies from the HTTP request, and then add them to the response with an expiration date that has already passed. Here’s how to invalidate all cookies in ASP.NET on sign out using cookie authentication and OWIN middleware.
Edit your Startup.Auth.cs file and override the OnResponseSignOut method. When a user chooses to sign out of your application, this method will execute and invalidate all cookies as desired:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 | namespace Devineloper.Web { public partial class Startup { public void ConfigureAuth(IAppBuilder app) { app.UseCookieAuthentication(new CookieAuthenticationOptions { AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie, LoginPath = new PathString("/Account/Login"), Provider = new CookieAuthenticationProvider { OnValidateIdentity = context => { /* validate the user's identity here */ }, OnResponseSignOut = context => { foreach(var cookie in context.Request.Cookies) { context.Response.Cookies.Append(cookie.Key, cookie.Value, new CookieOptions { Expires = DateTime.Now.AddDays(-1) }); } } } }); } } } |