Vulnerability in EPiServer.Forms
When I click on logout I am taken to util/logout.aspx however when I navigate back to the main page of our website I am still logged in and can access the CMS backend.
From what I can tell the cookie .AspNet.ApplicationCookie is not being deleted.
In our PageControllerBase.cs we have:
public ActionResult Logout()
Which when I compare it to the Alloy EpiServer demo appears to be identitical.
Where else do I need to look to check what could be the issue?
In case it is also relevant, we are using a custom login page:
public class CustomLoginController : Controller
private UISignInManager uiSignInManager = ServiceLocator.Current.GetInstance<UISignInManager>();
private UIUserProvider uiUserProvider = ServiceLocator.Current.GetInstance<UIUserProvider>();
public ActionResult Index()
public ActionResult LocalLogin(CustomLoginViewModel model)
bool result = uiSignInManager.SignIn(uiUserProvider.Name, model.Username, model.Password);
ModelState.AddModelError("LoginError", "Login failed");
return View(Global.CustomLoginView, model);
Which browsers does this happen in? Chrome 80+?
From what I have tested so far this is happening in Chrome 84, Edge 84, Firefox (Extended Support Release) 68, Internet Explorer 11.
Do your cookie have a Secure flag? And do the "cookie deletion" (when deleting a cookie the server sends the same cookie name, but with an old expiration date) also feature a Secure flag?
Thank you for the info.
From what I can tell, we are not using any custom logout or cookie deletion script. So I assume we are using episerver defaults?
Yes, that you would be the Episerver defaults which in turn relies on the OWIN cookie authentication middleware.
Do you use HTTPS or HTTP when it doesn't work? And can you find and show me the Set-Cookie response header from the log-out page request?
Try to remove forcefully cookies from the browser on signout action and pass the cookie name into remove method as below:
public ActionResult Logout()
var uiSignInManager = ServiceLocator.Current.GetInstance<UISignInManager>();
Thank you for the suggestion. This was actually one of the first things I tried, I tried it again with your syntax and again it had no effect. However it just occured to me to set a breakpoint in Visual Studio while running the app locally on my pc and upon trying to sign out of EpiServer the breakpoint was never triggered. Where else could there be a signout action? Where is it common to place this signout action in episerver?
So when I click on log out in the drop down menu, I am taken to ../Util/logout.aspx
Here is the set-cookie from the response header of that page:
content-type: text/html; charset=utf-8
date: Thu, 20 Aug 2020 10:29:57 GMT
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
set-cookie: __epiXSRF=QBY3NoddYh7udKJiNLExnx2gl8RQgIMyy9NoexL4k04=; path=/; secure; HttpOnly
strict-transport-security: max-age=15552000; includeSubDomains; preload
The Upcoming SameSite Cookie has been changed in ASP.NET and ASP.NET Core according to this article, so try with different way:
Ensure that ASP.NET_SessionId cookie has "secure" flag set to "true" explicitly
<httpCookies httpOnlyCookies="true" requireSSL="true" sameSite="strict" />
Remove cookies forcefully.
HttpCookie Cookie = HttpContext.Current.Request.Cookies[cookieName];
if (Cookie != null)
Cookie.Secure = true;
Cookie.Expires = DateTime.Now.AddDays(-1);
First of all, the code you implemented in your PageControllerBase class, will not be hit from /util/logout.aspx. The logic is more or less the same, as both are calling the same service. But you won't see your breakpoint being hit.
Second. I was asking for browser version etc. because Chrome (and the others) have made some big changes to cookie security.
To make sure a SameSite mode is being transmitted when deleting the cookie, you can try these steps:
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
CookieManager = new SameSiteCookieManager(new CookieManager())
// ... Rest follows here.
Let us know whether this works or not. If not, there are other things to try.
So I have changed the .NET version of our project from 4.6.1 to 4.7.2.
I have added the SameSiteCookieManager class from the documentation page but in this new class I get the following error in relation to:
public SameSiteCookieManager() : this(new CookieManager())
The error is in reference to CookieManager() : "The type or namespace name 'CookieManager' could not be found (are you missing a using directive or assembly reference?)"
Any idea what could be the cause of this? (I am a relative newbie when it comes to C#).
So quick question, I have been able to incorporate the SameSiteCookieManager Class to almost 99%. Currently I am getting an error in Visual Studio that DisallowsSameSiteNone is not recognized. I have not been able to find out yet which reference or package this requires to work. Any idea?
How can I check that in fact the episerver logout script is firing? From that I could tell from searching the web /util/logout.aspx simply contains a page with a confirmation message that logout has been completed and offers a button to log in again. But that does not mean the episerver logout script is in fact firing in our case. However I cannot find anything related to a logout in our Visual Studio project execpt in Controllers/PageControllerBase.cs which as mentioned in a previous post here in the thread is not firing (breakpoint was not reached).
So is there anything I can test/check in episerver to see if default logout behaviour is working? I am assuming this is tucked away in somd dll correct?
Any other suggestions on what to try to fix this logout issue?