After HttpContext.SignOutAsync but User.Identity.IsAuthenticated is still true.

huangapple go评论68阅读模式
英文:

After HttpContext.SignOutAsync but User.Identity.IsAuthenticated is still true

问题

After I run these two lines below, why User.Identity.IsAuthenticated is still true? How do I properly sign out?

运行以下两行代码后,为什么 User.Identity.IsAuthenticated 仍然为真?如何正确注销?

My project type is ASP.NET Core Razor Pages in .NET 6. Below is my program.cs.

我的项目类型是ASP.NET Core Razor Pages在.NET 6中。以下是我的 program.cs

英文:

After I run these two lines below, why User.Identity.IsAuthenticated is still true? How do I properly sign out?

await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
await HttpContext.SignOutAsync(OpenIdConnectDefaults.AuthenticationScheme);

My project type is ASP.NET Core Razor Pages in .NET 6. Below is my program.cs

using Microsoft.AspNetCore.Authentication.OpenIdConnect;
using Microsoft.EntityFrameworkCore;
using Microsoft.Identity.Web;
using Microsoft.Identity.Web.UI;

var builder = WebApplication.CreateBuilder(args);

string[] initialScopes = builder.Configuration.GetValue<string>("DownstreamApi:Scopes")?.Split(' ');

builder.Services
    .AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"))
    .EnableTokenAcquisitionToCallDownstreamApi(initialScopes)
    .AddMicrosoftGraph(builder.Configuration.GetSection("DownstreamApi"))
    .AddInMemoryTokenCaches();

builder.Services.AddRazorPages().AddMicrosoftIdentityUI();

builder.Services.AddScoped<GraphProfileClient>();
    
// -----------------------------------------------------------------------------------------
var app = builder.Build();

// Configure the HTTP request pipeline.
if (!app.Environment.IsDevelopment())
{
    app.UseExceptionHandler("/Error");
    // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
    app.UseHsts();
}

app.UseHttpsRedirection();
app.UseStaticFiles();

app.UseRouting();

app.UseAuthentication();
app.UseAuthorization();

app.MapRazorPages();

app.Run();

答案1

得分: 2

HttpContext.User 在调用 HttpContext.SignOutAsync() 时不会被更新。

在每个请求中,用户只被认证一次。一旦确定他们是否已认证,那么在该请求的其余部分中它不会改变。他们在整个请求的持续时间内仍然被认证。

如果你希望 User.Identity.IsAuthenticatedfalse,你可以尝试在调用 HttpContext.SignOutAsync() 之后添加以下代码:

HttpContext.User = new GenericPrincipal(new GenericIdentity(string.Empty), null);

这里 我们可以看到:

当浏览器关闭时,它会自动删除基于会话的 Cookie(非持久性 Cookie),但当单个标签关闭时,不会清除任何 Cookie。服务器不会收到标签或浏览器关闭事件的通知。

只要身份验证 Cookie 有效,用户将保持登录状态。

如果你希望在注销后使 Cookie 失效,你可以阅读 这里 以设置 Cookie 验证。在每个请求上验证 Cookie 可以减轻吊销的用户访问应用程序的风险。

英文:

HttpContext.User is not updated when you call HttpContext.SignOutAsync().

A user is only authenticated once per request. Once it determines if they are authenticated or not, then it does not change for the remainder of that request.They are still authenticated for the duration of that request.

If you want User.Identity.IsAuthenticated is false, you can try to add below code after you call HttpContext.SignOutAsync():

 HttpContext.User = new GenericPrincipal(new GenericIdentity(string.Empty), null);

From this , we see:

> When the browser closes it automatically deletes session based cookies
> (non-persistent cookies), but no cookies are cleared when an
> individual tab is closed. The server is not notified of tab or browser
> close events.
>
> The user remains signed into the app as long as the authentication
> cookie is valid.

If you want cookie invalid after you sign out, you can read this to set cookie validation.
Validating the cookie on every request mitigates the risk of revoked users accessing the app.

huangapple
  • 本文由 发表于 2023年2月24日 11:41:03
  • 转载请务必保留本文链接:https://go.coder-hub.com/75552421.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定