I just started fiddling around with OWIN/Katana and MVC.NET 5.0. The default Visual Studio 2013 ASP.NET Web Application/MVC Template has an AccountController with a LogOut() action:
public ActionResult LogOff() {
AuthenticationManager.SignOut();
return RedirectToAction("Index", "Home");
}
As expected, this works just fine. However, when I change the response status code, e.g. by:
Response.SetStatus(HttpStatusCode.SeeOther);
... The AuthenticationManager.SignOut() method no longer causes the user to become logged off. Why is that?
I tried different approaches for setting the http status code for the response, as well as changing http headers like Location, and always with the same result - the user is not logged off when the LogOff() action is executed, if I get into tempering with the response.
I tried not using RedirectToAction (which explicitly implements a 302 redirect - that's another story), and not returning an ActionResult, but that made no difference - not that I'd really expect it to.
Using Fiddler I can tell that the response as it appears to the browser looks fine, not holding any surprises.
I also tried looking through the source code of the OWIN middleware at work, but the architecture is still unfamiliar to me, and I found no answers that I could grasp in there. I need your help in sorting this out, so thank you in advance!
The reason AuthenticationManager.SignOut() fails is that Response.SetStatus(HttpStatusCode.SeeOther) internally ends the response:
public static void SetStatus(this HttpResponseBase response, int httpStatusCode)
{
response.StatusCode = httpStatusCode;
response.End();
}
(See System.Web.WebPages.ResponseExtensions)
After this, naturally the ResponseManager cannot manipulate the response to remove cookies etc.