Implementing logging out with Windows Authentication as it's done in SharePoint: without closing the browser

Question

I'm developing a SOA-oriented Intranet application using WCF. I have to implement User Authentication with Windows Authentication.

When we use Windows Authentication there is no possibility to really sign out without closing the browser. Only when you close the browser and open it again you get the browser prompt to enter user credentials. In my application I need user to be able to sign out without closing the browser. Nevertheless, it seems like there is some trick to change that behavior and if not really sign out than imitate it at least. It's implemented in SharePoint. There are two options: "Sign Out" and "Sign in as a different user". "Sign Out" doesn't really sign out: it shows the prompt to close the browser. If you don't and just re-enter the address of your application than it's logged in as if nothing happened. However, "Sign in as a different user" DOES "log out" somehow. That is, after you pressed this button, you get browser prompts to enter your credentials when you try to access your application (WITHOUT closing browser). In all internet discussions it's clearly said (e.g. here) that it's NOT possible to log out using Windows Authentication. It seems like it's imitated in SharePoint by means of cookies. But I haven't succeeded in reverse engineering of this approach. Could you, please, suggest to me the way I can reproduce the SharePoint behavior in my services.

I'm attaching the SharePoint request/response headers (from Chrome), maybe it can help you come out with some ideas (sorry for the large amount of text; and read ptth as http). Thanks!

1) Logged In User accessing any page:

Request URL:ptth://tfs.somecompany.ru/sites/DefaultCollection/SomeProject/Dashboards/ProjectDashboard_wss.aspx
Request Method:GET
Status Code:200 OK

Request Headers
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip,deflate,sdch
Accept-Language:ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4
Cache-Control:max-age=0
Connection:keep-alive
Cookie:TSWA-Session-Vars=TFS-701396601=1055156467&TFS-1638157380=1950326154; WSS_KeepSessionAuthenticated={46ec4974-b52c-4cc7-b157-84059d748740}
Host:tfs.somecompany.ru
If-Modified-Since:Wed, 26 Mar 2014 11:11:26 GMT
User-Agent:Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36

Response Headers
Cache-Control:private, max-age=0
Content-Encoding:gzip
Content-Length:44579
Content-Type:text/html; charset=utf-8
Date:Wed, 26 Mar 2014 11:11:51 GMT
Expires:Tue, 11 Mar 2014 11:11:51 GMT
Last-Modified:Wed, 26 Mar 2014 11:11:51 GMT
MicrosoftSharePointTeamServices:14.0.0.6029
Server:Microsoft-IIS/7.5
Set-Cookie:WSS_KeepSessionAuthenticated={46ec4974-b52c-4cc7-b157-84059d748740}; path=/
Set-Cookie:WSS_KeepSessionAuthenticated={46ec4974-b52c-4cc7-b157-84059d748740}; path=/
Set-Cookie:TSWA-Session-Vars=TFS-701396601=1055156467&TFS-1638157380=1950326154; path=/; HttpOnly
Set-Cookie:WSS_KeepSessionAuthenticated={46ec4974-b52c-4cc7-b157-84059d748740}; path=/
SPRequestGuid:db76867e-a1ff-4223-80e6-4502141c064a
Vary:Accept-Encoding
X-AspNet-Version:2.0.50727
X-Powered-By:ASP.NET
X-SharePointHealthScore:3

2) Logged In User pressed "Sign Out":

Request URL:ptth://tfs.somewebsite.ru/sites/DefaultCollection/SomeProject/_layouts/SignOut.aspx
Request Method:GET
Status Code:200 OK

Request Headers
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip,deflate,sdch
Accept-Language:ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4
Authorization:NTLM TlRMTVNTUAADAAAAGAAYAHwAAABUAVQBlAAAAAAAAABYAAAAEAAQAFgAAAAUABQAaAAAAAAAAADoAQAABYKIogYDgCUAAAAPL374PDZPX/Ete2OZtlmRrXYAcgBvAGQAawBpAG4AYQBCAEEAUgBCAEEAUgBBAC0AUABDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGR7rq4bit1H6OVC92tC/skBAQAAAAAAAE2zoPTkSM8Bp+dONwKxjtkAAAAAAgAeAFcASQBOAC0AOQBEAEMAUwBLAEUARgBHAEQAVABFAAEAHgBXAEkATgAtADkARABDAFMASwBFAEYARwBEAFQARQAEAB4AVwBJAE4ALQA5AEQAQwBTAEsARQBGAEcARABUAEUAAwAeAFcASQBOAC0AOQBEAEMAUwBLAEUARgBHAEQAVABFAAcACABNs6D05EjPAQYABAACAAAACAAwADAAAAAAAAAAAQAAAAAgAAAKREwkIhbBrQIu6920WSfsswbog8za6HpVEzgQnD0JbgoAEAAAAAAAAAAAAAAAAAAAAAAACQA0AEgAVABUAFAALwB0AGYAcwAuAGMAcgBvAHMAcwBpAG4AZgBvAHIAbQAuAHIAdQA6ADgAMAAAAAAAAAAAAAAAAAA=
Connection:keep-alive
Cookie:RSExecutionSession%3a%2fTfsReports%2fDefaultCollection%2fSomeProject%2fDashboards%2fBurndown=5po1uhfmxxnmnh45wshyam45; RSExecutionSession%3a%2fTfsReports%2fDefaultCollection%2fSomeProject%2fDashboards%2fBurn+Rate=wpajy3yqku1obhrhpuowv555; WSS_KeepSessionAuthenticated={46ec4974-b52c-4cc7-b157-84059d748740}; TSWA-Session-Vars=TFS-701396601=1055156467&TFS-1638157380=1950326154
Host:tfs.somewebsite.ru
Referer:ptth://tfs.somewebsite.ru/sites/DefaultCollection/SomeProject/Dashboards/ProjectDashboard_wss.aspx
User-Agent:Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36

Response Headers
Cache-Control:private
Content-Encoding:gzip
Content-Length:3455
Content-Type:text/html; charset=utf-8
Date:Wed, 26 Mar 2014 11:17:21 GMT
MicrosoftSharePointTeamServices:14.0.0.6029
Persistent-Auth:true
Server:Microsoft-IIS/7.5
Set-Cookie:WSS_KeepSessionAuthenticated=; path=/
SPRequestGuid:bffcf018-5667-4682-8a16-f3851cd2be98
Vary:Accept-Encoding
X-AspNet-Version:2.0.50727
X-Powered-By:ASP.NET
X-SharePointHealthScore:3

3) After pressing "Sign out" enter: ptth://tfs.somewebsite.ru/sites/DefaultCollection/SomeProject/Dashboards/ProjectDashboard_wss.aspx (access is granted)

Request URL:ptth://tfs.somewebsite.ru/sites/DefaultCollection/SomeProject/Dashboards/ProjectDashboard_wss.aspx
Request Method:GET
Status Code:200 OK

Request Headers
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip,deflate,sdch
Accept-Language:ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4
Connection:keep-alive
Cookie:RSExecutionSession%3a%2fTfsReports%2fDefaultCollection%2fSomeProject%2fDashboards%2fBurndown=5po1uhfmxxnmnh45wshyam45; RSExecutionSession%3a%2fTfsReports%2fDefaultCollection%2fSomeProject%2fDashboards%2fBurn+Rate=wpajy3yqku1obhrhpuowv555; TSWA-Session-Vars=TFS-701396601=1055156467&TFS-1638157380=1950326154; WSS_KeepSessionAuthenticated=
Host:tfs.somewebsite.ru
User-Agent:Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36

Response Headers
Cache-Control:private, max-age=0
Content-Encoding:gzip
Content-Length:47367
Content-Type:text/html; charset=utf-8
Date:Wed, 26 Mar 2014 11:20:48 GMT
Expires:Tue, 11 Mar 2014 11:20:48 GMT
Last-Modified:Wed, 26 Mar 2014 11:20:48 GMT
MicrosoftSharePointTeamServices:14.0.0.6029
Server:Microsoft-IIS/7.5
Set-Cookie:WSS_KeepSessionAuthenticated={46ec4974-b52c-4cc7-b157-84059d748740}; path=/
Set-Cookie:WSS_KeepSessionAuthenticated={46ec4974-b52c-4cc7-b157-84059d748740}; path=/
Set-Cookie:TSWA-Session-Vars=TFS-701396601=1055156467&TFS-1638157380=1950326154; path=/; HttpOnly
Set-Cookie:WSS_KeepSessionAuthenticated={46ec4974-b52c-4cc7-b157-84059d748740}; path=/
SPRequestGuid:ad83778b-7689-4f7e-b789-9d005e5e9c6a
Vary:Accept-Encoding
X-AspNet-Version:2.0.50727
X-Powered-By:ASP.NET
X-SharePointHealthScore:3

4) Logged In User pressed "Sign in as Different User": ("logging out" happens - browser shows me the prompt to enter credentials)

Request URL:ptth://tfs.somewebsite.ru/sites/DefaultCollection/SomeProject/_layouts/closeConnection.aspx?loginasanotheruser=true&Source=http%3A%2F%2Ftfs%2Esomewebsite%2Eru%2Fsites%2FDefaultCollection%2FSomeProject%2FDashboards%2FProjectDashboard%5Fwss%2Easpx
Request Method:GET
Status Code:200 OK

Request Headers
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip,deflate,sdch
Accept-Language:ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4
Connection:keep-alive
Cookie:RSExecutionSession%3a%2fTfsReports%2fDefaultCollection%2fSomeProject%2fDashboards%2fBurndown=5po1uhfmxxnmnh45wshyam45; RSExecutionSession%3a%2fTfsReports%2fDefaultCollection%2fSomeProject%2fDashboards%2fBurn+Rate=wpajy3yqku1obhrhpuowv555; loginAsDifferentAttemptCount=; previousLoggedInAs=; WSS_KeepSessionAuthenticated={46ec4974-b52c-4cc7-b157-84059d748740}; TSWA-Session-Vars=TFS-701396601=1055156467&TFS-1638157380=1950326154
Host:tfs.somewebsite.ru
Referer:ptth://tfs.somewebsite.ru/sites/DefaultCollection/SomeProject/Dashboards/ProjectDashboard_wss.aspx
User-Agent:Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36
Query String Parametersview sourceview URL encoded
loginasanotheruser:true
Source:ptth://tfs.somewebsite.ru/sites/DefaultCollection/SomeProject/Dashboards/ProjectDashboard_wss.aspx

Response Headers
Cache-Control:private
Content-Encoding:gzip
Content-Length:683
Content-Type:text/html; charset=utf-8
Date:Wed, 26 Mar 2014 11:29:27 GMT
MicrosoftSharePointTeamServices:14.0.0.6029
Server:Microsoft-IIS/7.5
Set-Cookie:WSS_KeepSessionAuthenticated={46ec4974-b52c-4cc7-b157-84059d748740}; path=/
SPRequestGuid:01cc0f78-c5af-48b0-a54a-ba214ccf3c0c
Vary:Accept-Encoding
X-AspNet-Version:2.0.50727
X-Powered-By:ASP.NET
X-SharePointHealthScore:3

5) After pressing "Sign in as Different User" enter: ptth://tfs.somewebsite.ru/sites/DefaultCollection/SomeProject/Dashboards/ProjectDashboard_wss.aspx (access is denied - browser shows me the prompt to enter credentials again and after I press cancel I get the response)

Request URL:ptth://tfs.somewebsite.ru/sites/DefaultCollection/SomeProject/Dashboards/ProjectDashboard_wss.aspx
Request Method:GET
Status Code:401 Unauthorized

Request Headers
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip,deflate,sdch
Accept-Language:ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4
Cache-Control:max-age=0
Connection:keep-alive
Cookie:loginAsDifferentAttemptCount=0; RSExecutionSession%3a%2fTfsReports%2fDefaultCollection%2fSomeProject%2fDashboards%2fBurndown=5po1uhfmxxnmnh45wshyam45; RSExecutionSession%3a%2fTfsReports%2fDefaultCollection%2fSomeProject%2fDashboards%2fBurn+Rate=wpajy3yqku1obhrhpuowv555; TSWA-Session-Vars=TFS-701396601=1055156467&TFS-1638157380=1950326154; WSS_KeepSessionAuthenticated={46ec4974-b52c-4cc7-b157-84059d748740}; previousLoggedInAs=WIN-9DCSKEFGDTE+AFw-MyUserName; loginAsDifferentAttemptCount=1
Host:tfs.somewebsite.ru
User-Agent:Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36

Response Headers
Content-Length:0
Date:Wed, 26 Mar 2014 11:33:15 GMT
MicrosoftSharePointTeamServices:14.0.0.6029
Server:Microsoft-IIS/7.5
SPRequestGuid:0d9863b0-9243-4762-bdb3-1ea49bec57e7
WWW-Authenticate:NTLM
X-Powered-By:ASP.NET

Update 27.03.14

Found a way to imitate this behavior in Chrome and Opera without Cookies or anything. I just implement LogOut service operation like this:

 public void LogOff()
        {
            WebOperationContext.Current.OutgoingResponse.StatusCode = HttpStatusCode.Unauthorized;
            WebOperationContext.Current.OutgoingResponse.Headers.Add("WWW-Authenticate", "NTLM");
        }

Check this link. Still have problems in Firefox though (doesn't prompt for authentication at all, always returns 401) and IE (doesn't log off, just refreshes the page, that's it).