I am using Facebook Owin Authentication and more or less follow Microsoft sample. I am more or less following the First time user logs in, everything is ok. But if they sign out and try again, it seems like the previous .AspNet.Correlation.Facebook is not removed, but set to empty string. So my next call to api/getexternallogin looks like this in Fiddler:

This is when we are generating a correlationId and having multiple cookies at this point is not a show stopper. In the response, I set it to the new CorrelationId:

Later when facebook calls back to "/signin-facebook", we try to validate the correlationId in ValidateCorrelationId method. The request seems like this:

So the new CorrelationId has been set but the extra cookie with no value means when I go Request.Cookies["ValidateCorrelationId"], it returns empty string.

I have checked the code and it seems like the only methods modifying this cookie are GenerateCorrelationId and ValidateCorrelationId. Implementation of these methods can be found in here:

http://katanaproject.codeplex.com/SourceControl/latest#src/Microsoft.Owin.Security/Infrastructure/AuthenticationHandler.cs

Curiously enough, my browser does not seem to see the issue:

Any ideas will be much appreciated.

OK this has taken me a fair bit of frustration but when Response.Cookies.Delete(".AspNet.Correlation.Facebook") is called in ValidateCorrelationId method, it sends the following in response:

So the value of "expires" has been concatenated and treated as two separate "set-cookie"s. Hence, the cookie is not expired but its value set to empty string. It seems like the comma after "Thu" is causing it.

The fix I have come up with was to comment out Response.Cookies.Delete(".AspNet.Correlation.Facebook") and do the following instead:

Response.Headers.Add("Set-Cookie", new[] { CorrelationKey + "=; path=/; expires=Fri 02-Jan-1970 00:00:00 GMT" })

No commas there and it is working now.

This does seem like a genuine bug in OWIN.