STS FederatedPassiveSignout on Mobile device using MVC4 C#

StackOverflow https://stackoverflow.com/questions/15443554

Question

I'm using MVC4 c# and have incorporated a home grown security token service (STS). The user calls the actual web address, and they're passively redirected to the STS login. When they successfully authenticate they're redirected to where they're supposed to go, which was all urlencoded in the URL on the redirect to the sts.

Upon logout, we call:

 this.Session.Abandon();
 this.Response.Cache.SetCacheability(HttpCacheability.NoCache);
 this.Response.ClearContent();

 // expires the claims
 FederatedAuthentication.SessionAuthenticationModule.SignOut();
 FederatedAuthentication.SessionAuthenticationModule.CookieHandler.Delete();
 WSFederationAuthenticationModule authModule = FederatedAuthentication.WSFederationAuthenticationModule
 Response.Redirect(WSFederationAuthenticationModule.GetFederationPassiveSignOutUrl(authModule.Issuer, authModule.Realm, null));

Everything seems to work great on the desktop version of our app. The user is back at the STS login page, and the URL shows wlogin1 (and lots of other stuff) and will allow the user to login again without issue. The url is exactly the same as when they first were redirected to the STS. Perfect, and this is what I want.

Now, when on mobile, which by the way uses the exact same domain/controller/Methods, it just uses jQueryMobile and different partial views, the logout appears to work and the user is brought back to the STS login. This time, however, the URL only shows the Domain/Controller/Method that was actually called from the mobile actionLink used for Logout. When the user tries to login again, the login is always unsuccessful because this link isn't appropriate for an sts login.

Thoughts on how to fix this, or what's wrong? Please let me know if you require any clarification. Thanks!

Was it helpful?

Solution

I was able to fix this!!

Looking at the headers for the mobile site it showed: X-Requested-With: XMLHttpRequest So, my logout was attempted with ajax and something wasn't working. This was the only difference between the desktop and mobile headers (besides user-agent, obviously). Started poking around this as the issue.

Within one of my mobile-specific scripts I added the following within the mobileinit. BINGO! Wow, what an easy solution for such a confusion problem.

$(document).bind("mobileinit", function (event) {            
  $.mobile.ajaxEnabled = false;});

Make sure that you correctly load your libraries too! I have loaded my jquery libraries in this order:

  1. jquery
  2. mobile jquery init file (the stuff above)
  3. jquerymobile
  4. jquery validation
  5. everything else

We're using the following jQuery libraries: jquery 1.9.1 jquery-ui 1.10.3 jquery.mobile 1.3.1 jquery.validate

Hope this helps others!

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top