Whats the best way to force a browser redirect after logout of ServiceStack

StackOverflow https://stackoverflow.com/questions/22515363

Question

Currently when a user logs out the log out process works correctly but the user stays on the same screen and therefore can still see secure data.

What is the best practice for forcing a browser redirect after logging out of ServiceStack?

Was it helpful?

Solution

It's not possible for the server to enforce a client redirect. It's really up to the client to enforce the security for the data after you logout. If the client has been trusted with the secure data already, during the course of the session, then you need to trust that the client will secure it appropriately when the session ends.

While you can have ServiceStack send redirect headers to the client when logging out, there is nothing requiring the client to actually take that action.

If a JavaScript client makes an AJAX request to ServiceStack to logout, the redirect response doesn't affect the page displaying the secure data, because the AJAX request operates effectively in a separate scope from the page showing the data, and so that page remains unaffected by the redirect. So the redirect is useless, unless the client explicitly provides a mechanism to handle such event.

The client must take responsibility to navigate away from the secure data itself. The best practise would be:

In the success method of your call to the logout action, you should:

  • Dispose of any sensitive in memory data. i.e. JavaScript Variables / DOM Elements displaying the data.
  • Delete the session cookie
  • Redirect to login

If you have secured your service properly, then navigating back through the history should still trigger a session check, for which there will no longer be a valid session, and you should be redirected away.

You previously mentioned using AngularJS. If you were doing this with the $http service, then the success callback can be used, like this:

$http({method: 'POST', url: '/auth/logout', data: { provider: "logout" }}).success(
    function(data, status, headers, config) {
        $scope.someValue = null; // Remove sensitive values from the scope (though it should be cleared up anyway with the redirect to a different state)
        $cookieStore.remove('ss-id'); // Remove the cookie
        $state.transitionTo('login'); // Redirect to login state
    }
);

This example assumes you have injected the $http, $cookieStore, $state providers

tl;dr

  • The client must enforce the security. The server redirect should be treated as nothing more than a suggestion to the client.
  • Use the success callback of the logout request action to delete the session cookie, dispose of any values in memory and redirect away from the data.

Hope this helps.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top