我遇到的问题是以下代码似乎没有按预期工作:
AuthenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie);
执行此操作时,上面的代码行我希望以下属性为false
AuthenticationManager.User.Identity.IsAuthenticated
但它不是,它仍然是真的(仅限IE浏览器,我使用的是IE 11)
我通过以下属性公开我的Owin上下文:
public IAuthenticationManager AuthenticationManager
{
get
{
return HttpContext.Current.GetOwinContext().Authentication;
}
}
我还尝试使用以下代码手动删除身份验证Cookie:
AuthenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie);
var appCookie = HttpContext.Current.Request.Cookies[".AspNet.AuthCookie"];
if (appCookie != null)
{
appCookie = new HttpCookie(".AspNet.AuthCookie");
appCookie.Expires = DateTime.Now.AddYears(-1);
HttpContext.Current.Response.Cookies.Add(appCookie);
}
再次,这在IE中不起作用。它适用于Chrome。
仅供参考,我在Startup.Auth.cs中手动设置cookie的名称
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
ExpireTimeSpan = TimeSpan.FromMinutes(Config.AuthenticationCookieTimeOutMinutes),
CookieHttpOnly = true,
CookieName = ".AspNet.AuthCookie",
LoginPath = new PathString("/Account/Login"),
CookieSecure = CookieSecureOption.SameAsRequest
});
有很多网上关于Signout()方法无法正常工作,但大多数解决方案是手动删除cookie,我对此并不满意。为什么这在IE 11中不起作用?
更新
所以我无法解决IE中的cookie问题,但是能够通过覆盖AuthorizeAttribute的HandleUnauthorizedRequest虚拟来查看用户是否已经过身份验证,然后双重检查会话中保存的CurrentUser来克服此问题
protected override void HandleUnauthorizedRequest(System.Web.Mvc.AuthorizationContext filterContext)
{
UserAccount currentUser = (UserAccount)filterContext.HttpContext.Session[SessionStrings.CurrentUser];
if (filterContext.HttpContext.Request.IsAuthenticated && currentUser != null)
{
...
}
else
{
base.HandleUnauthorizedRequest(filterContext);
}
}