我正在尝试使用 cookie 身份验证作为默认方案来计算和缓存 Windows 用户的声明。下面是我为此目的使用的帐户控制器。
[Route("account"), AllowAnonymous]
public class AccountController : Controller
{
[HttpGet, Route("login")]
public async Task<IActionResult> Login(string returnUrl)
{
var windowsAuthenticationScheme = Microsoft.AspNetCore.Server.IISIntegration.IISDefaults.AuthenticationScheme;
var result = await HttpContext.AuthenticateAsync(windowsAuthenticationScheme);
if (result?.Principal is WindowsPrincipal wp)
{
var id = new ClaimsIdentity(windowsAuthenticationScheme);
// add claims
await HttpContext.SignInAsync(new ClaimsPrincipal(id));
return Redirect(returnUrl);
}
return Challenge(windowsAuthenticationScheme);
}
[HttpPost, Route("logout")]
public async Task Logout()
{
await HttpContext.SignOutAsync();
// both should have similar effect as cookie authentication is the default scheme
// await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
}
}
这在登录时效果很好。但是,注销过程似乎效果不佳。在我从浏览器为路由生成 HTTP POST 后/account/logout,cookie 在浏览器中被正确清除。
但是,在刷新时,它会自动对用户进行身份验证,而无需点击登录端点。使用显式删除 cookieHttpContext.Response.Cookies.Delete(".AspNetCore.Cookies");也无济于事。我究竟做错了什么?