Change Password and Logout from Sitecore CMS still allows to access /sitecore home page

Context:

Recently, I came across an interesting scenario from a Sitecore Slack channel thread that the home page is accessible after a user changes password and logs out of the CMS. So, I decided to simulate the issue in a local instance and I could do the same. So, instead of explaining the situation via words, here is a video that demonstrates the issue in a fresh 10.4 Sitecore instance:

Although this is an edge case and such edge cases are the playground for the testing and security teams usually. Also, there is very less possibility that this would be a show-stopper or a loophole since it is a user session-based problem. Nevertheless, it is always good to know what-is-what in the area you work and be on top of issues - similar to how you keep your armoury fine-tuned at all times - you never know what is useful when! So, in case if your testing/security team comes up with this issue and makes a big hue and cry, here is what I did to disallow the user to access the home page without logging into the CMS. 

Root Cause:

The root cause for the issue is, the application cookies for the domain were still accessible esp., the .ASPXAUTH session cookie:

Once I manually deleted the concerned application cookie, the authentication process would kick-in and display the login page automatically.

Fix:

By trial and error, I found that if I could invoke the FormsAuthentication Signout method, the cookie clearance would work fine, SignOut method is quite self-explanatory here below:

Now, all I had to do was patch the invocation call in a relevant processor and I chose to do before login as follows:

	using Sitecore.Diagnostics;
	using Sitecore.Pipelines.Logout;
	namespace CustomSitecoreLogout
	{
	public class LogoutProcessor
	{
	public void Process(LogoutArgs args)
	{
	Tracer.Info("Intercepting call to Sitecore logout.");
	System.Web.Security.FormsAuthentication.SignOut();
	}
	}
	}

view raw CustomSitecoreLogout.cs hosted with ❤ by GitHub

**************

Patch Config:

#############

	<configuration xmlns:patch="http://www.sitecore.net/xmlconfig/">
	<sitecore>
	<pipelines>
	<speak.logout>
	<processor type="CustomSitecoreLogout.LogoutProcessor" patch:before="processor[@type='Sitecore.Pipelines.Logout.GotoLogin, Sitecore.Kernel']"/>
	</speak.logout>
	</pipelines>
	</sitecore>
	</configuration>

view raw Custom.SitecoreLogout.config hosted with ❤ by GitHub

#############

End-result:

Once you do the usual shenanigans of dll deployment to webroot bin folder and patch the config under site' App_config zzz folder, here is the end-result of the patch:

Github - ensure to publish dll and config file to correct webroot folder path