2

I have following scenario that includes Siteminder SSO:

  1. User is logged in
  2. User clicks logout
  3. document.location.assign is set to external URL that will perform session invalidation
  4. Browser visits that external URL and external login form is displayed.
  5. User hits the back button in browser

Now the problem is, after back button is pressed angular application pops out again without making actual GET request - is the whole apoplication content cached?

Anyway, is there a way to detect that user navigated into page using back button after step 4?

I have checked router events in case of such navigation using

imports: [RouterModule.forRoot(routes,{enableTracing: true}) ]

but none of events are fired

Antoniossss
  • 31,590
  • 6
  • 57
  • 99
  • Are you using a service worker? What happens when you manually enter the URL of step 5 (Angular app)? Is it possible for the Angular application to check whether the session is still valid? – Kim Kern Jul 27 '18 at 09:07
  • Pasting url directly has the exact same outcome. I can then back and forward between angular and external login form without any actual requests. No router events are generated when going back to angular :( Also, anuglar app and external logout page are on different subdomain of the same main domain. This could explain why doing the same thing from localhost (app on localhost, logout on external) actually works as expected - if I navigate back, then the whole app is fetched once more from scrach. – Antoniossss Jul 27 '18 at 09:13
  • @KimKern And no service workers are beeing used. location replace as response to click event. – Antoniossss Jul 27 '18 at 09:22

1 Answers1

0

For this scenario I would recommend to use an Auth Guard to protect routes from unauthorized access.

Full details can be found in [Angular Crisis Center example].(https://angular.io/guide/router#canactivate-requiring-authentication)

You create a Route Guard with ng generate guard which implements CanActivate interface. In the canActivate() handler, check if the user has valid credentials. If not, redirect to a "not authorized" route, or your sign-in page.

Here's a link to a popular blog post explaining the technique..

If you're interested in actually detecting the browser's back button, see my answer here.

FirstVertex
  • 3,657
  • 34
  • 33
  • Im long gone from that project, but auth guard is invoked on navigation right? Well no navigation occures here - and that is the problem. – Antoniossss Feb 06 '20 at 17:12