0

In my code I handle a DbUpdateConcurrencyException and for the case of updating a user's account, and the user no longer exists, I want to log them out - as they are no longer a valid user.

Granted, not a biggie because this should be rare and any page they try to go to will not accept them as they no longer have a claim. But its cleaner to log them out.

I can't use the SignInManager in Blazor.

To use the Identity library LogOut.cshtml, it requires a POST to the page to logout due to this security issue.

So, how can I force a logout from code? There are a lot of articles about why it must be a POST and how to create a page to do that. But none (that I can find) on a way to force a logout as opposed to asking a user to click a submit.

David Thielen
  • 28,723
  • 34
  • 119
  • 193

1 Answers1

0

In your Logout.cshtml page you can use javascript to do an automatic POST immediately when the page is retrieved via GET.

Logout.cshtml:

@page
@model MyApp.Pages.LogoutModel

<form method="post"></form>

@section Scripts {
<script>
    window.onload = function () {
        document.forms[0].submit();
    };
</script>
}

Logout.cshtml.cs:

using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.RazorPages;

namespace MyApp.Pages
{
    [IgnoreAntiforgeryToken]
    public class LogoutModel : PageModel
    {
        public async Task<IActionResult> OnPostAsync()
        {
            await HttpContext.SignOutAsync();
            return Redirect("/");
        }
    }
}

Then, in your Blazor component where you want to perform the logout:

@inject NavigationManager nav
...
nav.NavigateTo("/Logout", true);

(based on the method described here)

Dan Z
  • 696
  • 8
  • 19