First of all, this question thread, as of this writing, is the successor of this thread:
The template of Blazor Identity options was successfully scaffolded to my existing project. However, the expected logout behavior is only applied to the following pages:
- Account/Manage
- Account/Manage/Email
- Account/Manage/ChangePassword
- Account/Manage/TwoFactorAuthentication
- Account/Manage/PersonalData
Moreover, if I am on any of the previously mentioned pages and then log out (since I modified the location of the login page, it goes back to the login page upon logout), I cannot navigate back to the previous page by clicking the browser's back button. This is the expected outcome for security purposes. The problem is that, for example, if I'm on the "Auth Required" menu (Auth.razor), the user is not properly logged out by the program, even after I click logout.
Here's my relevant layout:
Login
Auth required menu
Manage account Menu
Here's my folder hierarchy:
First set
Second set
Third set
As I am reverse engineering the template provided by the blazor-identity generator, I've noticed a discrepancy in the logout process, which is not actually applied to the existing project setup.
These are the relevant code snippets, first is in the NavMenu.razor:
<div class="nav-item px-3"><NavLink class="nav-link" href="auth"><span class="bi bi-lock-nav-menu" aria-hidden="true"></span> Auth Required</NavLink></div><AuthorizeView><Authorized><div class="nav-item px-3"><NavLink class="nav-link" href="Account/Manage"><span class="bi bi-person-fill-nav-menu" aria-hidden="true"></span> @context.User.Identity?.Name</NavLink></div><div class="nav-item px-3"><form action="Account/Logout" method="post"><AntiforgeryToken /><input type="hidden" name="ReturnUrl" value="@currentUrl" /><button type="submit" class="nav-link"><span class="bi bi-arrow-bar-left-nav-menu" aria-hidden="true"></span> Logout</button></form></div></Authorized></AuthorizeView>@code { private string? currentUrl; protected override void OnInitialized() { currentUrl = NavigationManager.ToBaseRelativePath(NavigationManager.Uri); NavigationManager.LocationChanged += OnLocationChanged; } private void OnLocationChanged(object? sender, LocationChangedEventArgs e) { currentUrl = NavigationManager.ToBaseRelativePath(e.Location); StateHasChanged(); } public void Dispose() { NavigationManager.LocationChanged -= OnLocationChanged; }}I've set breakpoints in the OnInitialized, OnLocationChanged, and Dispose methods. The previously mentioned pages (which are working as expected) are directly executing Dispose upon logout. Except for the "Auth Required" menu (Auth.razor), where the last method executed is OnInitialized, which in turn technically has loopholes.
Moreover, as I dig deeper, I found out that the URL under the login layout is validated upon logout. Therefore, I tried to refactor the NavMenu.razor, and applied this code:
<form action="Account/Logout" method="post"><AntiforgeryToken /><input type="hidden" name="ReturnUrl" value="@($"{currentUrl = "Account/Manage"}")" /><button type="submit" class="nav-link"><span class="bi bi-arrow-bar-left-nav-menu" aria-hidden="true"></span> Logout</button></form>I tried to mimic the URL argument specified for the currentUrl so that the logout function behaves properly, and yet, the user is successfully logged out. However, the problem is that if I click the browser's back button, I can navigate back to the main page, which is supposedly not to happen for security reasons.
Note that the generated template by the Blazor Identity options was in the different folder hierarchy compared to my existing project (under the folder hierarchy > third set), please check my folder hierarchy that is already provided above.
I am trying to replicate the behavior of the logout security features provided by the Blazor Identity options that prohibit the user from navigating back to the sensitive pages upon logout.
My question is, how can I avoid introducing overhead by implementing a similar behavior to my existing project?