注销按钮IIS6 ASP.NET基本身份验证 [英] Logoff button IIS6 ASP.NET Basic Authentication

问题描述

我有一个明确的退出按钮在ASP.NET Web应用程序的用户的要求。我使用IIS6使用基本身份验证（SSL）。我可以重定向到另一个网页，但浏览器保持会话活着。我用Google搜索了一圈，发现了一种方法，使一个Active X控件与IIS进行沟通和终止会话做到这一点。我是一个受限制的环境下，不允许窗体身份验证和Active X控件不禁止的好。任何人都有这个要求，你怎样处理呢？

I have a requirement for an explicit logout button for users in a ASP.NET web app. I am using IIS6 with Basic Authentication (SSL). I can redirect to another web page but the browser keeps the session alive. I have googled around and found a way to do it by enabling an active x control to communicate with IIS and kill the session. I am in a restricted environment that does not allow forms authentication and active x controls are not forbidden as well. Has anyone else had this requirement and how have you handled it?

好吧，这就是我所担心的。我看到在网络上类似的答案，我希望有人将不得不做的一种方式。感谢您的时间虽然。我想我可以使用JavaScript来prevent后退按钮像history.back（）

Okay that is what I was afraid of. I have seen similar answers on the net and I was hoping someone would have a way of doing it. Thanks for your time though. I guess I can use javascript to prevent the back button like the history.back()

推荐答案

我是用这个自己挣扎了好几天。

I was struggling with this myself for a few days.

使用IE特定的 document.execCommand（'ClearAuthenticationCache'）; '是不是每个人一个很好的选择：
1）刷新所有凭证，这意味着用户将例如，还会从他的Gmail或任何其他网站，在那里他目前身份验证注销
2）它仅仅是IE浏览器;）

Using the IE specific 'document.execCommand('ClearAuthenticationCache');' is not for everyone a good option: 1) it flushes all credentials, meaning that the user will for example also get logged out from his gmail or any other website where he's currently authenticated 2) it's IE only ;)

我试着使用Session.Abandon（），然后重定向到我的Default.aspx。单独这是不够的。
你需要明确地告诉大家，这是提出的请求没有被授权的浏览器。您可以通过使用像这样做：

I tried using Session.Abandon() and then redirecting to my Default.aspx. This alone is not sufficient. You need to explicitly tell the browser that the request which was made is not authorized. You can do this by using something like:

response.StatusCode = 401;
response.Status = "401 Unauthorized";
response.AddHeader("WWW-Authenticate", "BASIC Realm=my application name");
resp.End();

这将导致如下：用户点击注销按钮==>他会得到基本的登录窗口。但是：如果他presses逃脱（登录对话框消失）和命中刷新，浏览器自动地再次发送凭据，导致获得登录用户，虽然他可能会认为他退出

This will result in the following: the user clicks the logout button ==> he will get the basic login window. HOWEVER: if he presses escape (the login dialog disappears) and hits refresh, the browser automagically sends the credentials again, causing the user to get logged in, although he might think he's logged out.

解决这个诀窍是要始终吐出一个独特的境界。然后浏览器不重新发送在上述情况下的凭据。我选择了吐出当前日期和时间。

The trick to solve this is to always spit out a unique 'realm'. Then the browser does NOT resend the credentials in the case described above. I chose to spit out the current date and time.

response.StatusCode = 401;
response.Status = "401 Unauthorized";
string realm = "my application name";                
response.AddHeader("WWW-Authenticate", string.Format(@"BASIC Realm={0} ({1})", realm, DateTimeUtils.ConvertToUIDateTime(DateTime.Now)));
resp.End();

这是你需要做的另一件事是告诉浏览器不缓存的页面：

Another thing that you need to do is tell the browser not to cache the page:

Response.Cache.SetCacheability(HttpCacheability.NoCache);
Response.Cache.SetExpires(DateTime.MinValue);
Response.Cache.SetNoStore();

所有这些东西的地方它的工作原理（对我来说）在IE浏览器，但直到现在我仍然无法prevent火狐从当用户第一次presses逃脱用户登录（隐藏基本的登录对话框），然后刷新（F5）或浏览器的后退按钮。

With all these things in place it works (for me) in IE, but until now I still wasn't able to prevent firefox from logging in the user when the user first presses escape (hides the basic login dialog) and then refresh (F5) or the browsers back button.

这篇关于注销按钮IIS6 ASP.NET基本身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！