diff --git a/Oqtane.Server/Extensions/OqtaneServiceCollectionExtensions.cs b/Oqtane.Server/Extensions/OqtaneServiceCollectionExtensions.cs index d9b31fd9..274a0aab 100644 --- a/Oqtane.Server/Extensions/OqtaneServiceCollectionExtensions.cs +++ b/Oqtane.Server/Extensions/OqtaneServiceCollectionExtensions.cs @@ -169,6 +169,7 @@ namespace Microsoft.Extensions.DependencyInjection options.Cookie.HttpOnly = true; options.Cookie.SameSite = SameSiteMode.Lax; options.Cookie.SecurePolicy = CookieSecurePolicy.SameAsRequest; + options.LoginPath = "/login"; // overrides .NET Identity default of /Account/Login options.Events.OnRedirectToLogin = context => { context.Response.StatusCode = (int)HttpStatusCode.Forbidden; diff --git a/Oqtane.Server/Security/PrincipalValidator.cs b/Oqtane.Server/Security/PrincipalValidator.cs index dc6d7256..710ac970 100644 --- a/Oqtane.Server/Security/PrincipalValidator.cs +++ b/Oqtane.Server/Security/PrincipalValidator.cs @@ -7,13 +7,15 @@ using Oqtane.Models; using Oqtane.Extensions; using Oqtane.Shared; using Oqtane.Managers; +using Microsoft.AspNetCore.Http; +using Microsoft.AspNetCore.Authentication; namespace Oqtane.Security { public static class PrincipalValidator { - public static Task ValidateAsync(CookieValidatePrincipalContext context) + public static async Task ValidateAsync(CookieValidatePrincipalContext context) { if (context != null && context.Principal.Identity.IsAuthenticated && context.Principal.Identity.Name != null) { @@ -49,6 +51,7 @@ namespace Oqtane.Security // remove principal (ie. log user out) Log(_logger, alias, "Permissions Removed For User {Username} Accessing {Url}", context.Principal.Identity.Name, path); context.RejectPrincipal(); + await context.HttpContext.SignOutAsync(Constants.AuthenticationScheme); } } else @@ -58,7 +61,6 @@ namespace Oqtane.Security } } } - return Task.CompletedTask; } private static void Log (ILogManager logger, Alias alias, string message, string username, string path)