idz
2007-05-22 07:24:50 UTC
Hi,
Our company was able to successfully implement the use of ADFS in one
of our client's system. But we have this issue that we really can't
figure out how to solve. Below is a scenario explaining our problem:
1. User opens up IE and enters the URL for the ASP.NET application
(aka. Server).
2. The Server checks if the user is authenticated or not. If not,
the user is sent to the ADFS sign-in where he/she is prompted for
credentials.
3. The user enters his username and password and submits the
credentials.
4. Once the Server has received an authenticated token from ADFS,
the user is redirected to the original URL he/she has requested.
5. The user then uses the application by accessing a couple of
pages.
6. The user then decides to logout by clicking the logout button.
7. The Server processes the logout request by clearing the user's
ASP.NET session and requests the ADFS to sign-out the user.
8. Then using the same IE window, the user clicks on IE's Back
button so that he/she can access the page he/she has last visited.
9. Now comes our problem. Since the user has explicitly requested
for a logout (step 6), the user expects that he/she will be prompted
again for his/her credentials (same as in step 3). But instead, IE
automatically asks for a re-authentication - no more prompts to the
user. It seems that IE has kept/cached the previously entered
credentials and used this to automatically re-authenticate the user.
10. After that, the previous page is displayed.
The automatic re-login behavior is what we are trying resolve,
especially when the user has just requested to be logged-out. We tried
the same scenario using Firefox and it also has the same issue. But we
did another Firefox test where after logging-out and manually using
Firefox's "Clear Private Data" function (with "Authenticated session"
checked), and going back to the previous page now causes a re-prompt
for user credentials - which is the kind of behavior we are looking
for. This is considered a security risk for the reason that if the
user was using a public PC and he/she may have forgotton to close the
browser, then someone can get access to the system by simply using the
Back button on that IE window.
Is there a programmatic way to change this default behavior? Do you
have any recommendations on how we can resolve this without requiring
manual actions/settings on the side of the user?
Thanks in advance.
Our company was able to successfully implement the use of ADFS in one
of our client's system. But we have this issue that we really can't
figure out how to solve. Below is a scenario explaining our problem:
1. User opens up IE and enters the URL for the ASP.NET application
(aka. Server).
2. The Server checks if the user is authenticated or not. If not,
the user is sent to the ADFS sign-in where he/she is prompted for
credentials.
3. The user enters his username and password and submits the
credentials.
4. Once the Server has received an authenticated token from ADFS,
the user is redirected to the original URL he/she has requested.
5. The user then uses the application by accessing a couple of
pages.
6. The user then decides to logout by clicking the logout button.
7. The Server processes the logout request by clearing the user's
ASP.NET session and requests the ADFS to sign-out the user.
8. Then using the same IE window, the user clicks on IE's Back
button so that he/she can access the page he/she has last visited.
9. Now comes our problem. Since the user has explicitly requested
for a logout (step 6), the user expects that he/she will be prompted
again for his/her credentials (same as in step 3). But instead, IE
automatically asks for a re-authentication - no more prompts to the
user. It seems that IE has kept/cached the previously entered
credentials and used this to automatically re-authenticate the user.
10. After that, the previous page is displayed.
The automatic re-login behavior is what we are trying resolve,
especially when the user has just requested to be logged-out. We tried
the same scenario using Firefox and it also has the same issue. But we
did another Firefox test where after logging-out and manually using
Firefox's "Clear Private Data" function (with "Authenticated session"
checked), and going back to the previous page now causes a re-prompt
for user credentials - which is the kind of behavior we are looking
for. This is considered a security risk for the reason that if the
user was using a public PC and he/she may have forgotton to close the
browser, then someone can get access to the system by simply using the
Back button on that IE window.
Is there a programmatic way to change this default behavior? Do you
have any recommendations on how we can resolve this without requiring
manual actions/settings on the side of the user?
Thanks in advance.