0

I have a website that's using ASP.NET Core MVC. It's hosted as an App Service in Azure. Authentication happens against Azure AD.

The authentication cookie is a session cookie.

Is there a way to force all existing session cookies to be invalid? Back in the day of .NET Web Forms I would have recycled the app pool or changed the machine key.

I don't care if the cookies still exist, I just want them to no longer be accepted by my web application.

Improve this question

1 Answer 1

Reset to default
1

In or to invalidate the auth cookies in an ASP.NET Core application, you need to delete the encryption keys. I am hosting my site an Azure and the encryption keys are stored at %HOME%\ASP.NET\DataProtection-API. There will be one or more XML files stored in that directory, those are the keys. Delete the XML files and restart the web application (you must restart the web application as the keys are stored in-memory).

I ran into an issue where I had scaled out my web application and both web apps started simultaneously. This caused each app to create its own key and (more importantly) be unaware of the other app's key. To help prevent this from happening, I perform the following steps:

  1. Scale down my app service to 1 isntance
  2. Delete the XML files
  3. Restart the web application
  4. Request a page from the web application (ensure it has been restarted)
  5. Scale my app service back up
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.