0

The disturbing scenario is: users log out of the application but their session remains valid such that they are able to sign back in without reauthenticating. Is the below code snippet the portion of the code that needs to be configured for the B2C session behaviour?

app.UseRewriter(

        new RewriteOptions().Add(

          context =>

          {

              if (context.HttpContext.Request.Path == "/MicrosoftIdentity/Account/SignedOut")

              { context.HttpContext.Response.Redirect("/Home/Index"); }

          }));
Nana
  • 3
  • 2

1 Answers1

0

When you want to sign the user out of the application, it isn't enough to clear the application's cookies or otherwise end the session with the user. Redirect the user to Azure AD B2C to sign out. If you fail to do so, the user might be able to reauthenticate to your application without entering their credentials again

The logout endpoint can receive an optional post_logout_redirect_uri parameter in the query string, where you can specify another URL where your user will be finally redirected by B2C. That can be the address of any resource, e.g. you homepage or your own page showing a "You successfully logged out of our service" message to the user.

post_logout_redirect_uri - The URL that the user should be redirected to after successful sign out. If it isn't included, Azure AD B2C shows the user a generic message.

For more details refer this document And also check with this SO Thread

ShrutiJoshi-MT
  • 1,622
  • 1
  • 4
  • 9
  • Thank you for the help Shruti. I have taken a look at the links. The SO Thread is interesting as one of the answers is the same code snippet that the customer has? Is there a chance that something else is wrong here? – Nana Oct 27 '21 at 20:02