Hello,
I am building an intranet site on Windows Server 2003 and IIS 6.0. We are using Integrated Windows Authentication as our only authentication method.
What we are having trouble with is creating a “Logoff” button for our users. Is there anything that can do this, without having to recode a different login scheme?
Thanks.
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
Or you can give the effect by having javascript close the browser window. Of course that will cause a wwarning saying "this page is trying to close the browser - do you want to continue?"
But that way they feel they are completely off, when in fact they will never be off since it is an integrated login.
If you are using Integrated Windows Authentication Logoff is pointless. The web server validates against the NT login and that information persists until the user logs off their computer. So if a user opens up the browser and navigates to your website they will always get it assuming they have correct permissions.
If you are worried about clearing out session variables then you may create a logoff button that links to a page that clears the session variables.
I think it is possible to have a 'real' logoff button that can purge browser's NT credentials cache.
--- Win32 security api has a function to do that. But that means you need to write an activeX component (most probably in c++) and install it in each user machine.
--- Using javascript. But it works only for IE6 sp1 or later.
document.execCommand(Clear
from MSDN:
http://msdn.microsoft.com/
Other than the above, you have to find a workaround.
Henry
Windows logs on the machine as well as the user. You should be able to just logoff the user without incident. A button that times the user's usage should be able to log him off both at the server and at the local machine; which is a good thing so that people's machines and account don't get left where anyone can come along and impersonate a user, say, late at night, when the user is not there or whatever [the janitor has become the CEO and all that].
But Windows should also be configurable for this. You might want to look into SMS from Microsoft.
I don't know why Microsoft didn't include this button either; doesn't it make sense to leave the machine logged in and connected and give the user the ability to effectively lock out his account at his machine by manually logging off at the end of the work day, lunch, etc.?
This should be configurable, and should also be configurable as automatic after some span of time, or at some exact time each day.
But you're right, a constant button would really be nice.
By the way, you then can't use "remember my password" because, again, any joker can come up, hit logon, and be that user or employee [some people must really be lazy!]
Thanks for the tips. I was hoping that they had a logoff feature like they do in Outlook Web Access, which uses the same type of authentication.
I've tried the Javascript feature and could only get it to close IE, not Firefox. Most of the people who are accessing this site are from home or other places so it is not possible to regulate or install software on these machines.
I'm awarding the points to rdivilbiss because he/she was the first to respond and had the correct information. Thank you all for your input and hopefully Microsoft can create a fix in IIS to allow for something like this.
Business Accounts
Answer for Membership
by: rdivilbissPosted on 2005-12-20 at 12:23:34ID: 15521470
Since integrated authentication simply passes the login credentials from the client browser to the Intranet site, there really isn't a login there per se. The login occured on the windows client machine.
If you are worried about a browser being left open on the windows client thus being exposed to unautorized use of the Intranet site, your best bet is to enforce good client security, susch as password protected screen savers.
But if it makes some one feel better to force a "log off" on the Intranet by means of a button, simply create a new virtual site on the server. Put one page in the site, shich displays a log off message and disable integrated windows authentication for that site. Make the action of your button redirect the user to that sites page.
You are not preventing the user from simply going back to the page that was being used and being instantly recognozed as he never logged on to the web site. His login credentials from the domain were used.