Logout does not prevent replay of requests (ASP.Net)

[Coder3333]

I was able to solve this problem in ASP.Net Core using the recommendation given (okta/samples-aspnetcore#53), but now I want to do the same thing in old ASP.Net. I do not believe there is a concept of ITicketStore in ASP.Net, so what is the recommendation? Thank you.

Steps to recreate:

1. Run application and hit Home route.
2. Click "Sign In" and complete authentication challenge.
3. Use F12 to engage developer tools in your browser. Make sure the "Persist logs" option is enabled, so that navigating to a new route retains the network history.
4. Navigate to the Home/Profile route by either putting it in the navigation bar or clicking the link. Notice that this gives you a 200 response in the Network history.
5. In the Navigation history, use the Resend option to replay the request to Home/Profile. Notice how this continues to give you a 200 response, as expected, since you are still logged in.
6. Click the "Sign Out" button, which will sign you out of Okta.
7. In the Navigation history, use the Resend option to replay the request to Home/Profile, again. Notice how this continues to give you a 200 response, even though you are logged out. (this is what I want to prevent)
8. Just to confirm that you are actually logged out, use the location bar in your browser to navigate to Home/Profile. This time, you will get a 302 response and be challenged for credentials.

[bryanapellanes-okta]

@Coder3333,
Thanks for reaching out! We will need to review this more closely to determine an appropriate solution. I've opened an internal ticket for tracking.