In my code I handle a DbUpdateConcurrencyException and for the case of updating a user's account, and the user no longer exists, I want to log them out - as they are no longer a valid user.
Granted, not a biggie because this should be rare and any page they try to go to will not accept them as they no longer have a claim. But its cleaner to log them out.
I can't use the SignInManager in Blazor.
To use the Identity library LogOut.cshtml, it requires a POST to the page to logout due to this security issue.
So, how can I force a logout from code? There are a lot of articles about why it must be a POST and how to create a page to do that. But none (that I can find) on a way to force a logout as opposed to asking a user to click a submit.
In your Logout.cshtml page you can use javascript to do an automatic POST immediately when the page is retrieved via GET.
Logout.cshtml:
@page
@model MyApp.Pages.LogoutModel
<form method="post"></form>
@section Scripts {
<script>
window.onload = function () {
document.forms[0].submit();
};
</script>
}
Logout.cshtml.cs:
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.RazorPages;
namespace MyApp.Pages
{
[IgnoreAntiforgeryToken]
public class LogoutModel : PageModel
{
public async Task<IActionResult> OnPostAsync()
{
await HttpContext.SignOutAsync();
return Redirect("/");
}
}
}
Then, in your Blazor component where you want to perform the logout:
@inject NavigationManager nav
...
nav.NavigateTo("/Logout", true);
(based on the method described here)