question

ask-2849 avatar image
0 Votes"
ask-2849 asked YijingSun-MSFT answered

MVC Login page back button can login again

I have an app using forms authentication. I use Formsauthentication.signout in logoff action with Session.Abandon and Session.Clear. If I hit the back button and go all the way back to the login page, the username and password are still in the fields. And I can hit submit and it reauthenticates. The only way around this that guarantees the clearing of these fields is to redirect to the login action instead of the home page. I verified this behavior with a default visual studio project with individual accounts. Am I missing something? Is there a way to log a user off and redirect to home page, but have the login fields cleared? From what I am reading there isn't much to do except tell the user to close the browser window is the only guaranteed way of the page not being accessible.

dotnet-aspnet-mvc
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Bruce-SqlWork avatar image
0 Votes"
Bruce-SqlWork answered

You can use JavaScript to remove the login page from history via the history api

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

YijingSun-MSFT avatar image
0 Votes"
YijingSun-MSFT answered

Hi @ask-2849 ,
As far as I think,the user will get logged out once the authentication cookie times out. ASP.NET Identity comes with this capability and called a Security Stamp. The highlighted configuration compares the security stamp stored in the auth token to the the database value every 30 minutes.

 app.UseCookieAuthentication(new CookieAuthenticationOptions
             {
                 AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
                 LoginPath = new PathString("/Account/Login"),
                 Provider = new CookieAuthenticationProvider
                 {
                     // Enables the application to validate the security stamp when the user logs in.
                     // This is a security feature which is used when you change a password or add an external login to your account.  
                     OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
                         validateInterval: TimeSpan.FromMinutes(30),
                         regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
                 }
             }); 

Note:you could created the IAuthenticationManager in the controller and called Signout.
Best regards,
Yijing Sun


If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.