Logout does not prevent replay of requests

[Coder3333]

I downloaded this sample application and am experiencing an issue for a particular scenario. I tested this with okta-aspnetcore-mvc-example.sln. Logging out of the application does not prevent replaying a previous request. What can I do to prevent this type of action.

Steps to recreate:

1. Run application and hit Home route.
2. Click "Sign In" and complete authentication challenge.
3. Use F12 to engage developer tools in your browser. Make sure the "Persist logs" option is enabled, so that navigating to a new route retains the network history.
4. Navigate to the Home/Profile route by either putting it in the navigation bar or clicking the link. Notice that this gives you a 200 response in the Network history.
5. In the Navigation history, use the Resend option to replay the request to Home/Profile. Notice how this continues to give you a 200 response, as expected, since you are still logged in.
6. Click the "Sign Out" button, which will sign you out of Okta.
7. In the Navigation history, use the Resend option to replay the request to Home/Profile, again. Notice how this continues to give you a 200 response, even though you are logged out. (this is what I want to prevent)
8. Just to confirm that you are actually logged out, use the location bar in your browser to navigate to Home/Profile. This time, you will get a 302 response and be challenged for credentials.

[bryanapellanes-okta]

@Coder3333,
Thanks for reaching out! I've added an item to our backlog to review this for a solution. Someone will follow up with more.

Thanks for using Okta!

[bryanapellanes-okta]

Internal Ref: OKTA-395904

[laura-rodriguez]

Hi @Coder3333,

This behavior seems to be by design in ASP.NET Core, see this link..
MS recommends using ITicketStore to invalidate sessions. I find this article useful for this use case, I hope this helps.

[laura-rodriguez]

Closing due to inactivity. Feel free to reopen if needed.