Issue with browser back button invalidating the session from Azure AD login page

Question

I'm using Azure AD for my login and forgot password pages. These two pages are custom html pages, hosted in azure blob storage.

From the login page, when I click on "Forgot Password" link, the page goes to below url for a second,

http://mywebsite.com/#error=access_denied&error_description=AADB2C90118%3a+The+user+has+forgotten+their+password ...

And redirects again to forgot password page.

But once I use browser back button to return to the login page and click on "forgot password" link again, the login page just refreshes but it does not take me to forgot password page. Clicking it again redirects to the forgot password page.

This could be an issue related to the cache used by MSAL is cleared or invalidating active session once the browser back button is used. I was wondering if anyone else has encountered similar issue and if there is fix for this?

Answer 1

Hi @James Kim ,

I notice the error you pasted was for B2C so it sounds like you might be using a password reset custom policy. The user getting redirected to the "forgot password" page instead of the login page might be related to a previous bug in the setup for the “recommended” password reset flow. This would resolve the other issue with the back button invalidating the session.

https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-password-reset-policy?pivots=b2c-custom-policy#self-service-password-reset-recommended

In the ForgotPassword technical profile, you need to make sure that the UseTechnicalProfileForSessionManagement is set to SM-Noop.

Let me know if this helps and if you still run into the issue.

If the information helped you, please Accept the answer. This will help us and improve searchability for others in the community who may be researching similar questions.