Question
I just started fiddling around with OWIN/Katana and MVC.NET 5.0. The default Visual Studio 2013 ASP.NET Web Application/MVC Template has an AccountController with a LogOut() action:
https://stackoverflow.com/questions/20563682
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russianpublic ActionResult LogOff() {
AuthenticationManager.SignOut();
return RedirectToAction("Index", "Home");
}
As expected, this works just fine. However, when I change the response status code, e.g. by:
Response.SetStatus(HttpStatusCode.SeeOther);
... The AuthenticationManager.SignOut() method no longer causes the user to become logged off. Why is that?
I tried different approaches for setting the http status code for the response, as well as changing http headers like Location, and always with the same result - the user is not logged off when the LogOff() action is executed, if I get into tempering with the response.
I tried not using RedirectToAction (which explicitly implements a 302 redirect - that's another story), and not returning an ActionResult, but that made no difference - not that I'd really expect it to.
Using Fiddler I can tell that the response as it appears to the browser looks fine, not holding any surprises.
I also tried looking through the source code of the OWIN middleware at work, but the architecture is still unfamiliar to me, and I found no answers that I could grasp in there. I need your help in sorting this out, so thank you in advance!
Solution
The reason AuthenticationManager.SignOut() fails is that Response.SetStatus(HttpStatusCode.SeeOther) internally ends the response:
public static void SetStatus(this HttpResponseBase response, int httpStatusCode)
{
response.StatusCode = httpStatusCode;
response.End();
}
(See System.Web.WebPages.ResponseExtensions)
After this, naturally the ResponseManager cannot manipulate the response to remove cookies etc.
OTHER TIPS
This works fine for me with the following LogOut method, are you doing something slightly differently?
//
// POST: /Account/LogOff
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult LogOff()
{
Response.StatusCode = 303;
AuthenticationManager.SignOut();
return RedirectToAction("Index", "Home");
}
