Which browsers does this happen in? Chrome 80+?

From what I have tested so far this is happening in Chrome 84, Edge 84, Firefox (Extended Support Release) 68, Internet Explorer 11.

Do your cookie have a Secure flag? And do the "cookie deletion" (when deleting a cookie the server sends the same cookie name, but with an old expiration date) also feature a Secure flag?

Thank you for the info.

From what I can tell, we are not using any custom logout or cookie deletion script. So I assume we are using episerver defaults?

Yes, that you would be the Episerver defaults which in turn relies on the OWIN cookie authentication middleware.

Do you use HTTPS or HTTP when it doesn't work? And can you find and show me the Set-Cookie response header from the log-out page request?

Try to remove forcefully cookies from the browser on signout action and pass the cookie name into remove method as below:

public ActionResult Logout()
{
   var uiSignInManager = ServiceLocator.Current.GetInstance<UISignInManager>();  
   uiSignInManager.SignOut();
   
   HttpContext.Response.Cookies.Remove(".AspNetCore.Cookies");
   
   return RedirectToAction("Index");
}

Thank you for the suggestion. This was actually one of the first things I tried, I tried it again with your syntax and again it had no effect. However it just occured to me to set a breakpoint in Visual Studio while running the app locally on my pc and upon trying to sign out of EpiServer the breakpoint was never triggered. Where else could there be a signout action? Where is it common to place this signout action in episerver?

So when I click on log out in the drop down menu, I am taken to ../Util/logout.aspx

Here is the set-cookie from the response header of that page:

access-control-expose-headers: Request-Context
cache-control: no-cache
cf-cache-status: DYNAMIC
cf-ray: 5c5b34530ee4cb98
cf-request-id: 04ad03d3e20fgyfgyfg0200000001
content-encoding: gzip
content-length: 2599
content-type: text/html; charset=utf-8
date: Thu, 20 Aug 2020 10:29:57 GMT
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
expires: -1
pragma: no-cache
request-context: appId=cid-v1:dfgyfdg5-1650-4750-81d0-yfgyfgyfgf
server: cloudflare
set-cookie: __epiXSRF=QBY3NoddYh7udKJiNLExnx2gl8RQgIMyy9NoexL4k04=; path=/; secure; HttpOnly
status: 200
strict-transport-security: max-age=15552000; includeSubDomains; preload
vary: Accept-Encoding
x-aspnet-version: 4.0.30319
x-content-type-options: nosniff
X-DNS-Prefetch-Control: off
x-powered-by: ASP.NET

The Upcoming SameSite Cookie has been changed in ASP.NET and ASP.NET Core according to this article, so try with different way:

Ensure that ASP.NET_SessionId cookie has "secure" flag set to "true" explicitly

<system.web>
    <httpCookies httpOnlyCookies="true" requireSSL="true" sameSite="strict" />
</system.web>

Remove cookies forcefully.

HttpCookie Cookie = HttpContext.Current.Request.Cookies[cookieName];
if (Cookie != null)
{
    Cookie.Secure = true;
    Cookie.Expires = DateTime.Now.AddDays(-1);
    HttpContext.Current.Response.Cookies.Add(Cookie);
}

Hi epiNewbie

First of all, the code you implemented in your PageControllerBase class, will not be hit from /util/logout.aspx. The logic is more or less the same, as both are calling the same service. But you won't see your breakpoint being hit.

Second. I was asking for browser version etc. because Chrome (and the others) have made some big changes to cookie security.

To make sure a SameSite mode is being transmitted when deleting the cookie, you can try these steps:

1. Make sure the project is on .Net Framework 4.7.2
2. Copy the SameSiteCookieManager class from this documentation page.
3. Upgrade all NuGet packages, which starts with "Microsoft.Owin" to version 4.1.0 or higher (if available).
4. Merge in the CookieManager property from below code sample into your Startup.cs file.

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
    CookieManager = new SameSiteCookieManager(new CookieManager())
    // ... Rest follows here.
}

Let us know whether this works or not. If not, there are other things to try.

Hi Stefan,

So I have changed the .NET version of our project from 4.6.1 to 4.7.2.

I have added the SameSiteCookieManager class from the documentation page but in this new class I get the following error in relation to: 


public SameSiteCookieManager() : this(new CookieManager())
        {
        }

The error is in reference to CookieManager() : "The type or namespace name 'CookieManager' could not be found (are you missing a using directive or assembly reference?)"

Any idea what could be the cause of this? (I am a relative newbie when it comes to C#).

So quick question, I have been able to incorporate the SameSiteCookieManager Class to almost 99%. Currently I am getting an error in Visual Studio that DisallowsSameSiteNone is not recognized. I have not been able to find out yet which reference or package this requires to work. Any idea?

How can I check that in fact the episerver logout script is firing? From that I could tell from searching the web /util/logout.aspx simply contains a page with a confirmation message that logout has been completed and offers a button to log in again. But that does not mean the episerver logout script is in fact firing in our case. However I cannot find anything related to a logout in our Visual Studio project execpt in Controllers/PageControllerBase.cs which as mentioned in a previous post here in the thread is not firing (breakpoint was not reached).

So is there anything I can test/check in episerver to see if default logout behaviour is working? I am assuming this is tucked away in somd dll correct?

Any other suggestions on what to try to fix this logout issue?