Change Password and Logout from Sitecore CMS still allows to access /sitecore home page

Context:

Recently, I came across an interesting scenario from a Sitecore Slack channel thread that the home page is accessible after a user changes password and logs out of the CMS. So, I decided to simulate the issue in a local instance and I could do the same. So, instead of explaining the situation via words, here is a video that demonstrates the issue in a fresh 10.4 Sitecore instance:

Although this is an edge case and such edge cases are the playground for the testing and security teams usually. Also, there is very less possibility that this would be a show-stopper or a loophole since it is a user session-based problem. Nevertheless, it is always good to know what-is-what in the area you work and be on top of issues - similar to how you keep your armoury fine-tuned at all times - you never know what is useful when! So, in case if your testing/security team comes up with this issue and makes a big hue and cry, here is what I did to disallow the user to access the home page without logging into the CMS. 

Root Cause:

The root cause for the issue is, the application cookies for the domain were still accessible esp., the .ASPXAUTH session cookie:

Once I manually deleted the concerned application cookie, the authentication process would kick-in and display the login page automatically.

Fix:

By trial and error, I found that if I could invoke the FormsAuthentication Signout method, the cookie clearance would work fine, SignOut method is quite self-explanatory here below:

Now, all I had to do was patch the invocation call in a relevant processor and I chose to do before login as follows:

**************

Patch Config:

#############

#############

End-result:

Once you do the usual shenanigans of dll deployment to webroot bin folder and patch the config under site' App_config zzz folder, here is the end-result of the patch:

Github - ensure to publish dll and config file to correct webroot folder path