private void TokenLogout(string accessHeadAndPayload, TokenManager tokenManager, HttpContextBase context) { if (!String.IsNullOrWhiteSpace(accessHeadAndPayload)) { var authCookie = CookieHelper.GetCookie(context.Request, AccessSignatureCookieName); if (authCookie == null) { throw new UnauthorizedAccessException("Missing access cookie."); } var accessSignature = authCookie.Value; var principal = tokenManager.ValidateToken(accessHeadAndPayload + "." + accessSignature, false); if (principal == null) { throw new UnauthorizedAccessException("Invalid access token."); } bool.TryParse(AuthenticationHelper.GetRequestParameterValue(context, "ultimateLogout"), out var ultimateLogout); // ultimately log out only if the user has not been logged out already, if he has, just a local logout executes if (ultimateLogout || Configuration.Security.DefaultUltimateLogout) { ultimateLogout = !UserHasLoggedOut(tokenManager, principal.Identity.Name, accessHeadAndPayload, out var portalPrincipal); using (AuthenticationHelper.GetSystemAccount()) { context.User = portalPrincipal; } } _logoutExecutor?.Logout(ultimateLogout); CookieHelper.DeleteCookie(context.Response, AccessSignatureCookieName); CookieHelper.DeleteCookie(context.Response, AccessHeadAndPayloadCookieName); CookieHelper.DeleteCookie(context.Response, RefreshSignatureCookieName); context.Response.StatusCode = HttpResponseStatusCode.Ok; } }