0

Below code is really working for login and logout. But i am facing an issue,

  1. Ran the application with chrome and login with A user. Successfully logged in
  2. He opened another tab it is not asking for login. Because he already logged in with previous tab, it took that cookies.
  3. A user navigating to purchase menu in that new tab. He has rights to open this menu and do purchase order.
  4. He clicked logged out from the first tab and it is successfully logged out. The second tab still opened with purchase screen.
  5. Now User B Successfully logged in with his credential. He doesn't have purchase activity rights.
  6. He opened that purchase screen tab and placed an order it is successfully placed
I want to restrict this by when ever expired session/cookies come to server we have to ignore and redirect to login screen.

Login code ``` ClaimsIdentity identity = new ClaimsIdentity(new[] { new Claim(ClaimTypes.NameIdentifier, u.Name), new Claim(ClaimTypes.Name, u.DisplayName), new Claim(ClaimTypes.UserData, JsonSerializer.Serialize(u)), }, CookieAuthenticationDefaults.AuthenticationScheme); var principal = new ClaimsPrincipal(identity); await HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, principal); ``` Logout code ``` public async Task Logout() { await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme); return RedirectToAction("Index", "Home"); } ``` Startup.cs ``` 
        services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
            .AddCookie(x =>
            {
                x.LoginPath = "/UserAccount";
                x.ExpireTimeSpan = TimeSpan.FromMinutes(10);
                x.SlidingExpiration = true;
            });


        var policy = new AuthorizationPolicyBuilder()
                        .RequireAuthenticatedUser()
                        .Build();
        services.AddMvc(options =>
        {
            options.Filters.Add(new AuthorizeFilter(policy));
        });
Improve this question

1 Answer 1

Reset to default
0

He opened that purchase screen tab and placed an order it is successfully placed

Add [Authorize] to the action which place an order.

Below is a demo, I add a link to aa action in Confidential.cshtml. If first tab user log out , the second tab user cannot go to the aa action.

HomeController:

 public class HomeController : Controller
    {
        public IActionResult Index()
        {
            return View();
        }
        [Authorize]
        public IActionResult ConfidentialData() 
        {
            return View();    
        }
        [Authorize]
        public IActionResult aa()
        {
            return Ok(3);
        }
    }

Confidential.cshtml:

@if (User.Identity.IsAuthenticated)
{
    <table class="table table-bordered">
        @foreach (var claim in User.Claims) {
        <tr><td>@claim.Type</td><td>@claim.Value</td></tr>
        }
    </table>
   <li><a asp-controller="Home" asp-action="aa">Home</a></li>
    
}

result:

enter image description here

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks for your effort. I cannot add Authorize attribute to each and ever action, so that i already added AuthorizationPolicyBuilder from startup.cs. The issue you are not reproduced yet. 1) After logout Don't do any action (don't click home Link) from second tab. 2) Login with some other user which is not having confidential data rights but having home page rights. Then come to second tab and click confidential data.
@Prakash This is a link I just named home, it's actually aa action not index , I replace placed an order with aa. Then come to second tab and click confidential data, the user B cannot open the confidential data after user a log out. If you cannot add Authorize attribute to each and ever action, could you show you other code , so that I can reproduce your problem.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.