Logout from windows authentication??

[Kevin Yu]

is it possible to for user to click a logout button to logout and when the
user want to get into the system again, the user have to login again?


Kevin

 

[MattC]

Windows Authentication is based on the current windows login, I dont think
you can issue a system logout request from a webpage without using some kind
of ActiveX control.

MattC

 

[Kevin Yu]

" Windows Authentication is based on the current windows login,"

what current windows login? you mean the login to the workstation? no, it's
the crudential that the user enter when prompt by the authentication server,
the user need to be in the AD or in the authenticating server. after the
user it's authenticated, the subsequent communication will contain the
authenticated info in the httpContext. now I am not sure where I can find
more information on how this works, there got to be someway to logout for
the users.





I dont think

 

[MattC]

Ack! Sorry I assumed you meant Integrated Windows Authentication. Closing
the window should kill the current authentication process. Have you tried
abandoning the current Session to see if that clears user authentication
details?

MattC

 

[Kevin Yu]

MattC

thank you for your response.

in fact, clearing the session collection won't help, since it does nothing
to the authentication process/authenitcated commnunication
in the httpContext

Kevin

 

[Kevin Yu]

I came across this in a forum, so I guess it's in the windows authentication
design, not
much can be done.

The user credentials are being cached by the client browser, not by IIS. To
force the client user to enter credentials again, you would need to send an
appropriate 401 status message in response to the next client request.
However, doing this would run counter to very legitimate user expectations
of how Windows authentication is supposed to work, so you may want to
reconsider. When Windows user credentials have already been accepted by a
server (either via a login dialog or automatic submission under IE
configuration for the target site or zone), a 401 is only expected if a
requested resource cannot be accessed under the previously supplied
credentials. When you send a 401 after any credentials have been previously
accepted, the user should expect that they need to use different credentials
from their initial login. If you're expecting the same credentials, then
user confusion should be anticipated.

All in all, if you really want to force a new login, perhaps a different
authentication mode might be more appropriate..

 

[Kevin Yu]

MattC

there is a workaround. it need to clear the identity token on the client
browser cache, but only IE6 + sp1 support
the javascript function, for the rest of the IE version, an activeX is
needed to clear the cache.

Kevin