1

I'm continuing someone else's development AND I don't know much about current practices for authentication in MVC applications.

The only things that are set about authentication are in the application's IIS configuration:

  • .NET Authrization Rules = Allow, All Users

Authentication:

  • Anonymous Authentication: Enabled
  • ASP .NET Impersonation: Disabled
  • Windows Authentication: Enabled

With this configuration, on the server, the browser asks me for a login/password. I enter my network login. Then I can get identify the user with Request.RequestContext.HttpContext.User.Identity...

On local computer where I login using the same login/password: no user is logged in the application (Request.RequestContext.HttpContext.User.Identity.Name == ""). If I disable Anonymous Authentication, the browser simply keeps re-asking for loginpassword infinitely.

My first problem is that I would like to be able to log out on server. From scarse info I got here and there I have already tried: FormsAuthentication.SignOut(); --> does nothing WebMatrix.WebData.WebSecurity.Logout(); --> Exception, tries to access a database (I got this from one of the VS2012 templates but I didn't think it would apply to my context). if(this.Request.RequestContext.HttpContext.Session != null) this.Request.RequestContext.HttpContext.Session.Clear(); --> Session is null, so this does nothing.

So, how can I log out in order to relog as a different user ?

(I would also like to be able to identify the user on local computer, but I think that should be asked in another topic.)

TTT
  • 1,848
  • 2
  • 30
  • 60

1 Answers1

0

Removed FormsAuth logout method as the question is for Windows Auth... doh!

Update:

To get the logged in user name try the IPrincipal Controller.User:

User.Identity.Name

Doh my bad your using Windows Authentication...

In which case it's the browser that is caching the credentials not the server / IIS so clearing the session won't achieve anything.

Taken from here:

"The user credentials are being cached by the client browser, not by IIS. To force the client user to enter credentials again, you would need to send an appropriate 401 status message in response to the next client request. However, doing this would run counter to very legitimate user expectations of how Windows authentication is supposed to work, so you may want to reconsider. When Windows user credentials have already been accepted by a server (either via a login dialog or automatic submission under IE configuration for the target site or zone), a 401 is only expected if a requested resource cannot be accessed under the previously supplied credentials. When you send a 401 after any credentials have been previously accepted, the user should expect that they need to use different credentials from their initial login. If you're expecting the same credentials, then user confusion should be anticipated.

All in all, if you really want to force a new login, perhaps a different authentication mode might be more appropriate."

For an IE only workaround see this SO post.

Community
  • 1
  • 1
Paul Zahra
  • 9,522
  • 8
  • 54
  • 76
  • Thank you for your reply but if you read my post, you'll see that I have alread tried both (seperately and together). – TTT Jan 24 '14 at 10:23
  • @TTT Indeed but did you use them both together? - Typically in MVC with forms authentication you would logout as per the method above. – Paul Zahra Jan 24 '14 at 10:37
  • As mentionned in my previous comment I've tried seperately AND I've tried both together). – TTT Jan 24 '14 at 10:47