I'm writing an ASP.net application that uses Windows Identity Foundation. My ASP.net application uses claims-based authentication with passive redirection to a security token service. This means that when a user accesses the application, they are automatically redirected to the Security Token Service where they receive a security token which identifies them to the application.
In ASP.net, security tokens are stored as cookies.
I want to have something the user can click on in my application that will delete the cookie and redirect them to the Security Token Service to get a new token. In short, make it easy to log out and log in as another user. I try to delete the token-containing cookie in code, but it persists somehow.
How do I remove the token so that the user can log in again and get a new token?
Cookies are a bit strange. They are managed by the browser and there is no "Method" to delete them. Just deleting them from the Request or Response objects on the server side does not remove them from the browser on the client side.
To "Delete" a cookie you have to set it's expiration date to the past.
See: http://msdn.microsoft.com/en-us/library/ms178195.aspx
I found the solution. To put it succinctly:
See here for more information: http://garrettvlieger.com/blog/2010/03/refreshing-claims-in-a-wif-claims-aware-application/
I also see that I can get handles to some other parts of the WIF framework this was, as well. It's definitely worth the read.