Prevent browser from caching external login credential's

Question

I have a web app that uses a external login service (oauth) for authentication and needs to be redirected to SSO server for login. my problem is after first login browser saves a cookie related to SSO and second time dose not ask for username password just simply bounces back from SSO to main web app

i tried removing cookies manually it work! but when i tried doing it with a piece of code like:

foreach (var cookie in Request.Cookies.Keys) Response.Cookies.Delete(cookie);

it also will be deleted but just looks like it's been deleted and wont ask for user credential's just bounces back

Looks like in this case SSO is creating cookie while user login. When user logout from your application you also should call log out endpoint of external service so that user is log out from there too. — Chetan, Jul 07 '19 at 05:37
@ChetanRanpariya I Implemented your solution turn's out oauth provider already calls that and my function served no purpose — some ediot, Jul 07 '19 at 08:33
Does the external service actually logs out the user? Some login systems do not actually log out the user such as active directory. What kind of external login you are using? You need to verify if the external service is actually logging out the user and check if the integration is proper. — Chetan, Jul 07 '19 at 08:48
@ChetanRanpariya it returned success, and if you try the same request you get 401 — some ediot, Jul 07 '19 at 08:56
it's so dumb when i delete the cookies manually from browser there is no problem and SSO ask's for user pass but when i do it whit a code its like i just deleted only session cookie — some ediot, Jul 07 '19 at 08:59
Instead of deleting the cookie you can try expiring cookies by setting their expiry to the date before current date. — Chetan, Jul 07 '19 at 10:42
Hi, did you find a solution ? I am also facing the same issue. — kulls, Aug 26 '21 at 15:53

score 1 · Answer 1 · edited Jun 03 '21 at 12:24

It seems your problem is not with the cookies, the page is loaded from browser cache when you load it 2nd time.

You need to disable browser caching for your index.html page, that will load new page every time browser requests the server for page. For that add meta tag in index.html header.

<meta http-equiv="Cache-control" content="no-cache, no-store">
<meta http-equiv="Pragma" content="no-cache">

no-cache and max-age=0, must-revalidate indicates same meaning.

(Pragma & Cache-Control is one and the same thing but from the different HTTP specification. See the answer here:Difference between Pragma and Cache-control headers?)

Or you can append date to script tag for fetching js

<script src="js/config.js?v="+ new Date() type="text/javascript"></script>

By doing this whenever front-end will send query it will append new datetime, which tell that the cached js is different than request, and prevents from loading cached version of page, now after you new page is loaded(not from cache), an auth request will happen and after successful login your page will be redirected.

If you are concerned about performance while loading it every time on navigation, you must use a Framework like Angular, which is single page application so it will load only once when reloaded, and continue same while you navigate.

You can add those meta tag in index.html or
If backend is IIS server, add a web.config file(I have not tried with other servers)

In the root web.config we specify that we don't want to the index.html to cache by setting the cache-control, Pragma and Expires request headers as well as the max-age to 0.

<location path="index.html">
  <system.webServer>
    <staticContent>
      <clientCache cacheControlMode="DisableCache" cacheControlMaxAge="0.00:00:00" />
    </staticContent>
      <httpProtocol>
        <customHeaders>
          <add name="Cache-Control" value="no-cache, no-store, must-revalidate" />
          <add name="Pragma" value="no-cache" />
          <add name="Expires" value="-1" />
        </customHeaders>
      </httpProtocol>  
  </system.webServer>
</location>

For more details on caching check these

IIS Client Cache: https://learn.microsoft.com/en-us/iis/configuration/system.webserver/staticcontent/clientcache
Cache-Control HTTP Header : https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
Pragma HTTP Header: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Pragma
Expires HTTP Header: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expires

Prevent browser from caching external login credential's

1 Answers1