Re: How to terminate client logon? session.abandon not working?

From: Todd Johnson (tjohnson_at_cgisenior.com)
Date: 07/12/04 

Date: Mon, 12 Jul 2004 15:03:58 -0500

Thanks for the prompt response Tom!

I must say, though - that I'm a little disappointed in how IE handles this.
If the server sends a session.abandon then why aren't the credentials used
for that site either marked "dirty" or removed from the cache?

Our alternatives are not real pretty. Closing the browser seems a bit
intrusive (and wouldn't we have to close ALL browser windows). The client
component is also not ideal. It does appear simple from a development
perspective, but it requires us to sign and install custom components on the
client in a time where many viruses and spyware components are also trying
to be installed on the client.

Most lay users may not understand the differences between malware components
and legitimate components. Frequently, I simply advise users to either
disable activeX controls or at least prompt before install. May also have
some issues with sites where ActiveX controls are disabled on the proxy or
firewall units. So, this could be just a bunch of phone calls to our help
desk. (We get several calls already with http vs https - so you can see
what our user population is like).

In summary, if these are our only alternatives - we'll probably use the
client side control.

Thanks again,

Todd

"Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message
news:ccul50$d3u1@kcweb01.netnews.att.com...
> "Todd Johnson" <tjohnson@cgisenior.com> wrote in message
> news:%23V7xl1DaEHA.2488@tk2msftngp13.phx.gbl...
> > It seems that we can wipe out the session vars, but not the
> authentication.
> >
> > How do we terminate the authentication and force the user to logon
again?
> > Is the old session ID still valid after the abandon?
>
> That's because client authentication is not at all related to the ASP
> session. The browser caches the client credentials locally. Aside from
> closing the browser to kill the cache you may try:
> http://support.microsoft.com/?kbid=195192
>
> --
> Tom Kaminski IIS MVP
> http://www.microsoft.com/windowsserver2003/community/centers/iis/
> http://mvp.support.microsoft.com/
> http://www.iisfaq.com/
> http://www.iistoolshed.com/ - tools, scripts, and utilities for running
IIS
> http://www.tryiis.com
>
>

Relevant Pages

  • Re: BASIC authentication Issues with IE - Part II - Solved but WHY?
    ... it does not know the difference between a request from IE or from ... some other HTTP client. ... Some other authentication schemes are more ... IIS can sometimes remember the token for a particular set of credentials so ...
    (microsoft.public.inetserver.iis.security)
  • Re: Windows Authentication question
    ... That's still possible even if you use integrated Windows authentication. ... configured not to pass the client user credentials or because the client ... logon dialog by the browser. ...
    (microsoft.public.dotnet.framework)
  • Re: Windows Authentication question
    ... That's still possible even if you use integrated Windows authentication. ... configured not to pass the client user credentials or because the client ... logon dialog by the browser. ...
    (microsoft.public.dotnet.security)
  • Re: ISAPI Authentication
    ... The job of your authentication filter is to accept ... non-Windows credentials from the client and then map them to a Windows ...
    (microsoft.public.inetserver.iis.security)
  • Re: Authenticate user and allow anonymous access
    ... But all anonymous users would use the same credentials so they ... > global.asax could be written to inform failed authentication attempts of the ... You know like when the server sends the browser a 401 ... whatever is completely cut out, until the negotiation process is done, ...
    (microsoft.public.dotnet.framework.aspnet.security)