I've now got three issues where I need to call the Identity library programmatically. The most recent is I need to call SignInManager.RefreshSignInAsync(user) after updating the claims for a user (if that use is the logged in user).
Exactly what problems or security holes are created if I call a MVC page I add to the other Identity ones where in OnGet() I call the UserManager, SignInManager, etc?
I'm not worried about the issue of they hit refresh on the page. If they do and RefreshSignInAsync is called twice - who cares? Same for Logout, not an issue if it then tries to logout an already logged out user.
So... what are the downsides to doing this? And are there alternatives (other than putting up a page with a large button that says [Please Click Me] to send them to that page with a POST?
Update: As I understand it, and please correct me if I am wrong, the problem, as discussed here, here, & here is that the browser can prefetch a page (logging you out even if you never go to that page) as well as cache the page (displays it without executing the OnGet). So bad all around.
So... is there any downside to POSTing to a page in code as follows:
using System.Net.Http;
var url = "https://example.com//identity/account/LogOut";
var data = new Dictionary<string, string>
{
{ "myKey", "myValue" },
{ "anotherKey", "anotherValue" }
};
var content = new FormUrlEncodedContent(data);
using (var client = new HttpClient())
{
var response = await client.PostAsync(url, content);
if (response.IsSuccessStatusCode)
{
var responseBody = await response.Content.ReadAsStringAsync();
// Any point in checking the response?
}
}
