Logoff button IIS6 ASP.NET Basic Authentication

StackOverflow https://stackoverflow.com/questions/612488

Question

I have a requirement for an explicit logout button for users in a ASP.NET web app. I am using IIS6 with Basic Authentication (SSL). I can redirect to another web page but the browser keeps the session alive. I have googled around and found a way to do it by enabling an active x control to communicate with IIS and kill the session. I am in a restricted environment that does not allow forms authentication and active x controls are not forbidden as well. Has anyone else had this requirement and how have you handled it?

Okay that is what I was afraid of. I have seen similar answers on the net and I was hoping someone would have a way of doing it. Thanks for your time though. I guess I can use javascript to prevent the back button like the history.back()

Was it helpful?

Solution

I was struggling with this myself for a few days.

Using the IE specific 'document.execCommand('ClearAuthenticationCache');' is not for everyone a good option: 1) it flushes all credentials, meaning that the user will for example also get logged out from his gmail or any other website where he's currently authenticated 2) it's IE only ;)

I tried using Session.Abandon() and then redirecting to my Default.aspx. This alone is not sufficient. You need to explicitly tell the browser that the request which was made is not authorized. You can do this by using something like:

response.StatusCode = 401;
response.Status = "401 Unauthorized";
response.AddHeader("WWW-Authenticate", "BASIC Realm=my application name");
resp.End();

This will result in the following: the user clicks the logout button ==> he will get the basic login window. HOWEVER: if he presses escape (the login dialog disappears) and hits refresh, the browser automagically sends the credentials again, causing the user to get logged in, although he might think he's logged out.

The trick to solve this is to always spit out a unique 'realm'. Then the browser does NOT resend the credentials in the case described above. I chose to spit out the current date and time.

response.StatusCode = 401;
response.Status = "401 Unauthorized";
string realm = "my application name";                
response.AddHeader("WWW-Authenticate", string.Format(@"BASIC Realm={0} ({1})", realm, DateTimeUtils.ConvertToUIDateTime(DateTime.Now)));
resp.End();

Another thing that you need to do is tell the browser not to cache the page:

Response.Cache.SetCacheability(HttpCacheability.NoCache);
Response.Cache.SetExpires(DateTime.MinValue);
Response.Cache.SetNoStore();

With all these things in place it works (for me) in IE, but until now I still wasn't able to prevent firefox from logging in the user when the user first presses escape (hides the basic login dialog) and then refresh (F5) or the browsers back button.

OTHER TIPS

The Session.Abandon method destroys all the objects stored in a Session object and releases their resources. If you do not call the Abandon method explicitly, the server destroys these objects when the session times out.

Have you tried calling Session.Abandon in response to the button click?

Edit:

It would seem this is a classic back button issue.

There is very little you can do about the back button. Imagine the user has just opened the current page in a new window then clicked the logOut button, that page appears to log out but it will not immediately affect the content of the other window.

Only when they attempt to navigate somewhere in that window will it become apparent that their session is gone.

Many browsers implement the back button in a similar (although not identical) way. Going back to the previous page is not necessarily a navigation for a HTML/HTTP point of view.

This is a solution for this problem that works in IE6 and higher.

<asp:LinkButton ID="LinkButton1" runat="server" OnClientClick="logout();">LinkButton</asp:LinkButton>


<script>

    function logout()
    {
    document.execCommand("ClearAuthenticationCache",false);
    }
 </script>

Found this from http://msdn.microsoft.com/en-us/library/bb250510%28VS.85%29.aspx

Web Team in Short Your Credentials, Please

Q: Jerry B. writes, "After the user has validated and processed his request, I now want to invalidate him. Assuming this machine is in an open environment where anyone could walk up and us it, I want to throw a new challenge each time a user accesses a particular module on the Web."

A: This is a frequently requested feature of the Internet Explorer team and the good people over there have given us a way to do it in Internet Explorer 6.0 SP1. All you need to do is call the execCommand method on the document, passing in ClearAuthenticationCache as the command parameter, like this:

document.execCommand("ClearAuthenticationCache");

This command flushes all credentials in the cache, such that if the user requests a resource that needs authentication, the prompt for authentication occurs again.

I put this on my logout link button and it works in IE6 sp1 and higher:

OnClientClick="document.execCommand('ClearAuthenticationCache');"
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top