I have a normal Blazor app, with the default boilerplate user/password authentication from MS. I have 2 users, root and test.

I logged in with root and clicked remember me. Then I logout and log in again with free, and initiated a payment process. The flow navigates to an outside page (different domain), and then calling a callback on succes back to may app/domain.

The problem is that now, I am logged in as root instead of free.

Is there a way to fix/prevent this?

I have a normal Blazor app, with the default boilerplate user/password authentication from MS. I have 2 users, root and test.

I logged in with root and clicked remember me. Then I logout and log in again with free, and initiated a payment process. The flow navigates to an outside page (different domain), and then calling a callback on succes back to may app/domain.

The problem is that now, I am logged in as root instead of free.

Is there a way to fix/prevent this?

• asp-core
• cookies
• blazor

• We can't guess what your application is doing, how authentication was configured or how the web app uses that unspecified external service. If the web app uses authentication cookies, and the payment gateway redirects to your site, the user's cookies would still be there. We can't guess how you determined that root is now the user. Did you use AuthenticationStateProvider ? Used AuthorizeView to display the name? – Panagiotis Kanavos Commented Jan 29 at 14:16

1 Answer 1

I had a test with a .Net 6 blazor server application and an 6 MVC application. You mentioned with the default boilerplate user/password authentication from MS so that the blazor server app I created via VS chose "Microsoft identity platfor" as the authentication type.

My test uses codes below. The blazor app will redirect to my MVC app, and in my MVC controller action it will return Redirect("https://localhost:7100/"); to mock the payment callback.

@page "/"
@inject IJSRuntime jsRuntime
@inject NavigationManager NavManager

<PageTitle>Index</PageTitle>
<h1>Hello, world!</h1>
Welcome to your new app.
<SurveyPrompt Title="How is Blazor working for you?" />
<button onclick="@direct">direct with NavigationManager to external site</button>
<button onclick="@direct2">direct with js invoke to external site</button>

@code{
    public void direct()
    {
        NavManager.NavigateTo("https://localhost:7037/home/DynamicContent");
    }
    public async Task direct2()
    {
        await jsRuntime.InvokeAsync<object>("open", "https://localhost:7037/home/DynamicContent", "_blank");
    }
}

Everything worked well, I signed in with my account and choose Stay signed in,

then I click sign out button in my site, it will redirect to Microsoft Identity platform sign out page and guide me to choose my account to sign out, and it will finally redirct to /MicrosoftIdentity/Account/SignedOut. Then I go back to my blazor site and click to navigate to MVC page, it can still redirct back without any signed-in account.

We could deduce that the issue might relate to the persistent authentication cookies stored in the browser when using the "Remember Me" option. And if we used official Microsoft Identity SDK, I trust it will help handle the cookie automatically. If you are working on OpenIdConnect + Azure AD configuration, I'm afraid you need to deal with the cookie manually, and you might need codes similart to

await SignInManager.SignOutAsync();
HttpContext.Response.Cookies.Delete(".AspNetCore.Identity.Application");