Topics
Published on December 12, 2016 by kudvenkat
Want create site? Find Free WordPress Themes and plugins.

In this video we will discuss implementing logout functionality for ASP.NET Web API.

To log out the user from the application all we have to do is remove the Access token from the client browser session storage. Here is what we want to do.
1. Include a Log Off button
2. When the Log Off button is clicked remove the access token from client browser session storage and redirect the user to the login page.

There are 2 ways for the user to Log Off
1. By closing the browser window. Since we are storing the access token in browser session storage, the access token will be lost when we close the browser window.
2. By clicking the “Log Off” button, which explicitly removes the access token from the browser session storage.

If you do not want to loose the access token, when the browser is closed store the access token in browser local storage instead of session storage. The way you store, retrieve and remove items from local storage is exactly the same as storing, retrieving and removing items from session storage, except that you use localStorage object instead of sessionStorage object.

We are only deleting the access token on the client. We are not invalidating or deleting the access token from the server side. If someone can intercept the access token, will they not be able to use that access token and gain access to the system.
The straight answer to the question is YES. If someone is able to intercept the access token, they will be able to impersonate and gain access to the system. However, most of the systems that use access tokens, work over SSL (Secure Socket Layer), which inhibits intercepting access tokens.

Should we invalidate or delete access tokens from the server
No, there is no need to invalidate or delete access tokens from the server. Access token lives on the client, and it is enough if we remove it from the client. Another good practise is to set the expiry of the access token to as short time as practically possible depending on the nature of your application.

Text version of the video
csharp-video-tutorials.blogspot.com/2016/12/aspnet-web-api-logout.html

Slides
csharp-video-tutorials.blogspot.com/2016/12/aspnet-web-api-logout_12.html

All ASP .NET Text Articles
csharp-video-tutorials.blogspot.com/p/free-aspnet-video-tutorial.html

All ASP .NET Slides
csharp-video-tutorials.blogspot.com/p/aspnet-slides.html

All Dot Net and SQL Server Tutorials in English
www.youtube.com/user/kudvenkat/playlists?view=1&sort=dd

All Dot Net and SQL Server Tutorials in Arabic
www.youtube.com/c/KudvenkatArabic/playlists

Did you find apk for android? You can find new Free Android Games and apps.

Leave a Reply

10 Comments on "ASP NET Web API logout"

Notify of
avatar

Ja va
Guest
Ja va
6 months 10 days ago

The only code preventing the user from logout is javascript, is it possible to see the page if you disable javascript?

pmburu0
Guest
pmburu0
6 months 14 days ago

Thank you

Suprith A.M
Guest
Suprith A.M
6 months 20 days ago

Hi Venkat thanks for great tutorials Is user name and passwords are passed as the plain text to server in the demo?. If that is the case is it not easy for a hacker to get hold of them and use for generating the token? . Please advise.

shiva sanika
Guest
shiva sanika
8 months 19 days ago

Hi sir, Would like to clarify some doubts below.1) How if I want to delete token from the server?2) or how to modify the validity of token by clicking some button on UI? 3) Where is the actual point (code) of the verification is happening at server side? How the server us validating the token is correct or not and validated or not?

Ronald Anthonisamy
Guest
Ronald Anthonisamy
9 months 4 days ago

Thanks Venkat.

Muhammad Rehbar Sheikh
Guest
Muhammad Rehbar Sheikh
9 months 11 days ago

Thanks sir.

Bo Shen
Guest
Bo Shen
9 months 12 days ago

I really want to know what's the difference between the "bearer" and "basic" authentication, is the "bearer" more secure?? And I hope you could made some more videos about OData on Web API to enrich this video series. Big Thank!!

Rk215 Tech
Guest
Rk215 Tech
9 months 12 days ago

sir I love your tutorial . I have one suggestion maybe you like .the suggestion is please tell us in advance what exactly we need(required file or something else) to get the output .

RAMCHANDRA THAKKAR
Guest
RAMCHANDRA THAKKAR
9 months 12 days ago

very much informative.

martenhc
Guest
martenhc
9 months 12 days ago

Hello Venkat, great video as always. I was wondering, why not using cookies to store the token? Does localstorage have any advantage over cookies?

wpDiscuz