We help IT Professionals succeed at work.

HTTP Authentication

gisvpn
gisvpn asked
on
348 Views
Last Modified: 2008-02-01
Hello,

I am using simple HTTP authentication on one of our web sites. I have the following which takes the AUTH_USER variable and assigns it to the Session("username"). The below code is located on the page which the user sees and authenticates against - for example if the user has not authenticated and tries to access this page then they are promoted to enter their username and password.

<% Session("username")= Request.ServerVariables("AUTH_USER") %>

The problem is getting the user to log out. I can clear the Session variables, however the variable Request.ServerVariables("AUTH_USER")  still remains ? How can i clear this at the sametime as clearing the session variables ? As if the user clicks to log out (and the ASP code clear the session variables and then returns to the page which has Request.ServerVariables("AUTH_USER") on it, it will simply log the user back in.

Many thanks in advance

GISVPN
Comment
Watch Question

This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Also have login form and validating page different....

login form would include textboxes with username/passowrd and a button, and when entered it will be sent to validating.asp page which validates and creates a session. When user logs out all the sessions would clear and he would be sent to login page so sessions would create only when he clicks on submit button again
The AUTH_USER server variable actually is set when the user logs into their PC.  The only way to clear it is to log out of the PC.

Author

Commented:
bugs - great thanks for the information.

danataylor - im not sure that is correct - The AUTH_USER var is always null until it authenticates against the server (as opposed to using any of the local PC credentials).

thanks,

GISVPN
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Commented:
I think the way i got around it was to issue another unauthorsed statement.

Commented:
EG.

Response.Clear()
Response.Status = "401 Unauthorised"
Response.AddHeader "WWW-Authenticate","Basic Realm=""EFFX Authentication"""
You're right - The AUTH_USER variable is initially null.

Author

Commented:
effx - thanks for the comments - may well try that ;)

Thanks

GISVPN
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.