HttpContext.Authentication.SignOutAsync does not delete auth cookie

Question

According to ASP.NET Core documentation the method HttpContext.Authentication.SignOutAsync() must delete the authentication cookie as well.

Answer 1

Maybe your case was to use ASP NET Core Identity authentication stuff like in my case

so, instead of using HttpContext.Authentication.SignOutAsync() or HttpContext.SignOutAsync() you can try to use API from ASP NET Identity:

SignInManager.SignOutAsync()

API from HttpContext didn't clear cookies with names starting with ".AspNetCore."

(to use SignInManager you need to bring in SignInMbanager by asp net core's DI)

Answer 2

I solved the problem with deleting my site cookies with the following snippet placed in my Logout() method in the controller. I found that multiple cookies would be created by my site.

// Delete the authentication cookie(s) we created when user signed in
            if (HttpContext.Request.Cookies[".MyCookie"] != null)
            {
                var siteCookies = HttpContext.Request.Cookies.Where(c => c.Key.StartsWith(".MyCookie"));
                foreach (var cookie in siteCookies)
                {
                    Response.Cookies.Delete(cookie.Key);
                }
            }

And in Startup.cs:

app.UseCookieAuthentication(new CookieAuthenticationOptions()
            {
                AuthenticationScheme = "Cookies",
                LoginPath = new PathString("/Account/Login/"),
                AccessDeniedPath = new PathString("/Home/Index/"),
                AutomaticAuthenticate = true,
                AutomaticChallenge = true,
                CookieName = ".MyCookie"
            });

Notice that I do not use await HttpContext.Authentication.SignOutAsync("MyCookieMiddlewareInstance"); since I am using OpenIdConnect with Google.