1

I have an issue that really keeps me struggling for a long time.

I am building a wizard, with multiple pages and I want to persist state from one page to the other. One step in that multi-page-wizard is performing an oAuth redirect to an external service (so, I show a <a href="" /> link that points to the oAuth login page, and after the login , the redirect from that service comes back to the next page in my wizard).

That all works, but the problem is that the state that I have persisted in ProtectedSessionStorage seems to be gone after that redirect. I was in the assumption that that state would be persisted? (I tried both ProtectedSessionStorage and ProtectedLocalStorage)

I must be missing something, but I can't get my head around it.

This is the behavior until now:

  • Page 1 : user enters value, value gets persisted to local storage
  • Page 2 : I successfully load and display that value and add a link to the other application
  • Page 3 : the other application redirects to this page, and when I execute the same code as on Page 2 (see below), the value is empty.

This is the code where the value is successfully retrieved on Page 2, and is empty on Page 3:

protected override async Task OnAfterRenderAsync(bool firstRender)
{
    if (firstRender)
    {
        var re = await SessionStorage.GetAsync<string>("LockExternalRef");
        Console.WriteLine(re.Value); // Works on Page 2, empty on Page 3, after redirect
        await base.OnAfterRenderAsync(firstRender);
    }
}
Sam Vanhoutte
  • 3,247
  • 27
  • 48
  • 1
    Can you confirm that both of your pages have the exact same URL origin (same port, same protocol, etc...) ? – T.Trassoudaine May 02 '23 at 09:31
  • Have you tried another browser ? Does Page2 share the same domain/http scheme with Page3? – Ruikai Feng May 04 '23 at 01:06
  • Hello, thanks for your feedback. I verified that both Page 1 and Page 2 have the exact same "base Address" : https://localhost:7192/organization/ ... – Sam Vanhoutte May 04 '23 at 11:58
  • What about Page 3 ? – T.Trassoudaine May 04 '23 at 12:17
  • you can't get localstorage from any domain but the domain that set the value. You also want to avoid using that for anything sensitive as it will be vulnerable to XSS attacks. (secure, http-only cookie is better for things that persist a session or remember a user...) – pcalkins May 04 '23 at 18:53
  • @pcalkins This is a "ProtectedSessionStorage" which is encrypted... – Jamie Bonnett Aug 22 '23 at 00:36
  • Seems like you'd need to call "ProtectedSessionStore.GetAsync"... but since it was working in Page 1, I guess that's not needed. I have a feeling that the encryption key will be stored in memory, which means it may not survive after a redirect. Take a look at the value in sessionStorage using the inspector... it may be there, but the key value may be something encrypted. The encryption key may not be available... seems like it would throw some kind of exception if that's the case. Also remember that XSS can use the same calls you use. – pcalkins Aug 22 '23 at 17:46

0 Answers0