Invalidate Old Session Cookie - ASP.Net Identity
Make sure you use AuthenticationManager.Signout(DefaultAuthenticationTypes.ApplicationCookie);
as correctly suggested by Jamie.
Being able to login with the same cookie again is by design. Identity does not create internal sessions to track all logged-in users and if OWIN gets cookie that hits all the boxes (i.e. copies from the previous session), it'll let you login.
If you still can login after the security stamp is updated, most likely OWIN can't get a hold of ApplicationUserManager
. Make sure you have this line just above the app.UseCookieAuthentication
app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
Or if you are using DI take ApplicationUserManager
from DI:
app.CreatePerOwinContext(() => DependencyResolver.Current.GetService<ApplicationUserManager>());
Also reduce the validateInterval: TimeSpan.FromMinutes(30)
to lower value - I usually settle for couple minutes. This is how often Identity compares values in auth-cookie to the values in the database. And when the comparison is done, Identity regenerates the cookie to update timestamps.