Re: How to provide Log Off for a Web Application?

From: John Saunders (john.saunders@surfcontrol.com)
Date: 03/08/03 

From: "John Saunders" <john.saunders@surfcontrol.com>
Date: Fri, 7 Mar 2003 19:04:34 -0500

I know that many want to do it, but I'm trying to understand why they want
to do it. I know from personal experience that some want to do it because
they're accustomed to "thick client" and mainframe technologies, and don't
really understand how the web works. If Mr. Geretz has a different
requirement, I'd very much like to understand what it is. 

--
John Saunders
Internet Engineer
john.saunders@surfcontrol.com
"Ellery Familia" <ellery AT ellery.tv> wrote in message
news:OKk4o$K5CHA.1540@TK2MSFTNGP09.phx.gbl...
> "This strikes me as ironic"
>
> John, what wants to do, lots of sites do it... the only thing is he wants
to
> do it with
> windows auth. If you didn't know, you could make the browser always pull
> new pages, so if you hit (back) in your browser, a "page expired" error
will
> be shown.
> When you hit refresh to get the old page, you'd be asked to logon once
> again.
>
> Ellery Familia
> www.universalmembers.com
>
> "John Saunders" <john.saunders@surfcontrol.com> wrote in message
> news:uwmmwOE5CHA.2088@TK2MSFTNGP12.phx.gbl...
> > So, this is for:
> > 1) Users who want to leave their browsers open while leaving their
> computers
> > unattended and without locking them first
> > 2) Users who are security conscious
> >
> > This strikes me as ironic.
> >
> > Among other things, how do you prevent someone from simply going over to
> the
> > browser and clicking the "Back" button to read secure content? I'll
> presume
> > that your Logout method will also redirect to a different page so that
> > people won't be able to read the secure data on the screen.
> >
> > Perhaps your logout button should close all the users' browsers by using
> > client-side code?
> >
> > --
> > John Saunders
> > Internet Engineer
> > john.saunders@surfcontrol.com
> >
> >
> > "Joseph Geretz" <jgeretz@nospam.com> wrote in message
> > news:O8jgFNC5CHA.3512@TK2MSFTNGP11.phx.gbl...
> > > > I'm curious. Why do you need to log the user off?
> > >
> > > For security.
> > >
> > > Browser applications are different than your typical Windows
application
> > in
> > > this respect. The typical windows app is used for a specific purpose.
> The
> > > user will fire up the app, log in (we're talking a secure app here) do
> > what
> > > he needs to do and will then close the app. So you don't often see a
> > > specific log out function, other than closing the app. Naturally, the
> user
> > > realizes that his session is active as long as the app is running.
> > >
> > > Browser applications are different since the same browser can deliver
> many
> > > different 'applications' during its lifetime. Simply moving to a
> different
> > > site doesn't 'close' the previous application the user was using. So
for
> > the
> > > security conscious user there are two options:
> > >
> > > 1. Close the browser. This is a pain to always have to close the
> browser.
> > > 2. Log out via an application provided function. Many sites have
these,
> > but
> > > the ones I've seen are using their own cookies for security. It's easy
> to
> > > expire a cookie, thus invalidating the current session. But how to
> expire
> > > cached windows credentials?
> > >
> > > - Joseph Geretz -
> > >
> > > "John Saunders" <john.saunders@surfcontrol.com> wrote in message
> > > news:un13sEB5CHA.2392@TK2MSFTNGP09.phx.gbl...
> > > > I'm curious. Why do you need to log the user off?
> > > >
> > > > --
> > > > John Saunders
> > > > Internet Engineer
> > > > john.saunders@surfcontrol.com
> > > >
> > > >
> > > > "Joseph Geretz" <jgeretz@nospam.com> wrote in message
> > > > news:#HGahWA5CHA.2424@TK2MSFTNGP09.phx.gbl...
> > > > > I'm using Basic Authentication via IE to log user in to my site.
Can
> I
> > > > > subsequently log them off, or will they retain authentication as
> long
> > as
> > > > the
> > > > > browser window is open? If I'm going to want to provide a log of
> > > function
> > > > > will I need to use Forms Authentication so that I can expire the
> > cookie?
> > > > Or
> > > > > can I somehow invalidate the cached credentials which are issued
by
> > > > > performing a Windows Log In via Basic Authentication?
> > > > >
> > > > > If I can, I'd like to remain with Basic Authentication since that
> > means
> > > I
> > > > > don't need to write my own log in code.
> > > > >
> > > > > Thanks for any help you can provide.
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: Cookies from ASP.NET app not persisting even when enabled!
    ... > I'm new to ASP.NET and have been developing a small app at work to test ... > and the authorization cookie is saved as expected on the local machine. ... any browser OTHER THAN the one on the development ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Access 2010 with Sharepoint 2010
    ... the browser as in Access itself? ... I've said elsewhere that I'm wary of embedded macros because of the ... An existing app ... that when I deploy to the client system, ...
    (comp.databases.ms-access)
  • Re: Cookies from ASP.NET app not persisting even when enabled!
    ... > if you site only works form a local browser, ... >> I'm new to ASP.NET and have been developing a small app at work to test ... >> and the authorization cookie is saved as expected on the local machine. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Tkinter or wxpython?
    ... If you can get them to install a desktop app ... The permission mechanism is admittedly browser dependent. ... not so much for an application platform. ... HTML has non-trivial cross browser differences. ...
    (comp.lang.python)
  • Re: Tkinter or wxpython?
    ... If you can get them to install a desktop app ... The permission mechanism is admittedly browser dependent. ... not so much for an application platform. ... HTML has non-trivial cross browser differences. ...
    (comp.lang.python)