[Blazor Server] How to clear cookies when RevalidatingServerAuthenticationStateProvider.ValidateAuthenticationStateAsync returns false.

[rcg-wae]

Hello.

My apologies if I've missed anything in the docs and / or previous issues regarding this topic - I have looked fairly thoroughly but I can't find anything concrete.

Whilst testing an application that I'm developing, I've noticed something and I'd appreciate some guidance from Microsoft (or anyone who's previously encountered this) about what to do.

I'm able to re-create the behaviour on a brand new File -> New Blazor Server app with "Individual authentication" using the .NET template - so I'm very confident it's not a quirk of my application.

Below, I've linked to a sample repo to provide as much context as I can.

The master branch is simply the output of the File -> New operation. No changes at all.

Then, in a branch named IdentityRevalidatingAuthenticationStateProviderChanges I've made a very simple change to simulate a user's session being invalidated. You can see that this is the sole change.

Running that branch, I've ran the migration, created a user, logged in, and then let the IdentityRevalidatingAuthenticationStateProvider invalidate my session on the circut - which I understand is the point of it as detailed here.

The result is the screenshot you can see below. The user appears to be logged out as far as Blazor is concerned, yet their "Application" cookie from ASP.NET identity persists:

This means that a user can click login again, or, they can just refresh / open the website in another tab and be automatically logged back in because the cookie is sent by the browser. Which is obvioulsy not ideal for a number of reasons.

I've got a fix in place, but it feels really dirty. However, I can't find examples (or think) of a better solution.

Taking advantage of the routing, I've updated the RedirectToLogin component to post a hidden form to the Logout endpoint and updated the endpoint to return a TypedResults.SignOut for the ApplicationScheme. This seems to work without negative implications but I feel like there has to be a better way to solve the problem.

I've had a good look through the docs and I can see there's plenty of examples of how to handle these situations with Blazor WASM, or using a client and reverse proxying via YARP but there seems to be limited examples when using "pure" Blazor Server.

Is anyone able to suggest or share something to solve this problem in a more elegant manner please?

[halter73]

If you want to clear the cookie after ValidateAuthenticationStateAsync returns false, you'll have to do it in response to a new HTTP request where we can clear cookies with a new Set-Cookie header. ValidateAuthenticationStateAsync typically runs in the context of a WebSocket request where it's too late to set any new headers.

The way we handle this for the default security stamp validation is by also overriding the CookieAuthenticationEvents.OnValidatePrincipal in addition to configuring ValidateAuthenticationStateAsync. At the point OnValidatePrincipal runs, SignInManager.SignOutAsync() should be able properly clear the cookie since OnValidatePrincipal is called early in in the request pipeline when the authentication middleware runs prior to any response being written meaning the Set-Cookie header can still be set.

aspnetcore/src/Identity/Core/src/IdentityCookiesBuilderExtensions.cs

Lines 49 to 56 in 0d0cfaa

	builder.AddCookie(IdentityConstants.ApplicationScheme, o =>
	{
	o.LoginPath = new PathString("/Account/Login");
	o.Events = new CookieAuthenticationEvents
	{
	OnValidatePrincipal = SecurityStampValidator.ValidatePrincipalAsync
	};
	});

aspnetcore/src/Identity/Core/src/SecurityStampValidator.cs

Lines 136 to 162 in 0d0cfaa

	public virtual async Task ValidateAsync(CookieValidatePrincipalContext context)
	{
	var currentUtc = TimeProvider.GetUtcNow();
	var issuedUtc = context.Properties.IssuedUtc;
	// Only validate if enough time has elapsed
	var validate = (issuedUtc == null);
	if (issuedUtc != null)
	{
	var timeElapsed = currentUtc.Subtract(issuedUtc.Value);
	validate = timeElapsed > Options.ValidationInterval;
	}
	if (validate)
	{
	var user = await VerifySecurityStamp(context.Principal);
	if (user != null)
	{
	await SecurityStampVerified(user, context);
	}
	else
	{
	Logger.LogDebug(EventIds.SecurityStampValidationFailed, "Security stamp validation failed, rejecting cookie.");
	context.RejectPrincipal();
	await SignInManager.SignOutAsync();
	await SignInManager.Context.SignOutAsync(IdentityConstants.TwoFactorRememberMeScheme);
	}
	}

[rcg-wae]

Thanks @halter73, that's very helpful! I really appreciate the links to some official samples as well.