0

After a user logs off from our web-site we need to fire off some HTTP requests to 2-3 other external urls (we don't need a response from these btw).

The url request must be performed on the client as the requests will cause a log-off to be performed on these external sites on the users current session.

The only way I thought that this could be achieved would be to render some invisible iframes and set the url to each of them so that when the page loads the requests will be executed.

Is there another way this could be achieved? The above solution seems a bit hacky.

EDIT: I cannot use JS for this as we need to conform to standards.

Mantorok
  • 5,168
  • 2
  • 24
  • 32
  • Since this has to be done on the client you might want to tag this with javascript too. – Chris Jan 14 '11 at 10:59
  • I can't do this in JS, as we have to ensure our website works without JS. – Mantorok Jan 14 '11 at 11:37
  • 1
    If you don't want to use JS then I don't think you can do it any way except something similar to your suggestion of hidden iframes. You could also potentially give them the option of seeing these frames to confirm they have logged out of the remote sites. – Chris Jan 14 '11 at 13:26
  • Agree with Chris. What you're trying to do really is script something without using any scripting. This is why you inevitably end up with something that seems hacky! – James Morcom Jan 14 '11 at 13:33
  • @James, I agree, which is why I eventually ended up thinking about iframes, it does seem like the only option. – Mantorok Jan 14 '11 at 13:38
  • Mantorok: I've just updated my answer to be more comprehensive and include some of the things I've said in comments to consolidate it all. I am still interested in hearing more from those who think it can be done server side to see if they are thinking fo something that I've not - given the rep of Darin Dimitrov I am reluctant to just assume he is wrong (though of course rep isn't everything). :) – Chris Jan 14 '11 at 14:29

3 Answers3

1

In order to do this purely server side the server would need to be able to identify itself as the user to the external sites. The user will usually be identified by a cookie when accessing the external site which means that the server would need this cookie to be able to correctly identify itself.

Unfortunately (for you, fortunately for web security the world over) a site is not able to get hold of the data from cookies for other sites. And so isn't able to identify itself in this way.

Sites can incorporate other ways of identifying accesses. An example might be the cookieless sessions in ASP.NET which uses a unique key in the url (I believe) or if some kind of trust has been set up between servers you can do authentication via secure trusted communication. However, these may well still not be sufficient to log a user out. eg in the latter case the server might be able to identify as a given user to an external site but that external site would still need to have implemented code to log off all sessions since the server connection would be in a different session to the user connection.

This leave us with having to do things on the client. Javascript is the logical solution to this. You would need to have a javascript function linked to your "logout" button and use that function to send the requests to the external servers before actually hitting your ASP.NET page to log out of your site. You could do this by either opening new windows with the external site logout page (has the advantage that your user will know they are logged out of these other sites) or do the requests directly through the javascript.

This question shoudl help you with firing off the javscript requests: HTTP GET request in JavaScript?

If as in this case javascript is not allowed then another method must be used to make the calls to the remote server. There are a few options available for this which include your suggestion of iframes which have the advantage they could be displayed if wanted (eg the user wants visual confirmation of the logout) but might be a little more than you need (since you don't need to load up all the HTML into a dom, etc). Another option would be to (ab)use an image tag. Put the logout url as the image source and it will go off and get it. What comes back won't be a valid image so you'll just get a broken image tag. This can of course be hidden by a variety of means.

There may be other tags I've not thought of that will work for this (thoughts include a tag though that may work but may well not and probably other tags I've not thought of). You'll have to experiment if you want others.

Personally I'd probably stick with the iframes but have them visible on your logout screen (possibly with javascript that hides them and displays a button to show them).

Community
  • 1
  • 1
Chris
  • 27,210
  • 6
  • 71
  • 92
  • 2
    I wouldn't want any part of my logout dependent on javascipt. I would definitely do this from the sever instead. – Michael Shimmins Jan 14 '11 at 11:03
  • Yes, I should've mentioned I need to avoid JS to conform to standards. – Mantorok Jan 14 '11 at 11:38
  • @Michael Shimmins: But you can't do it from the server. To log out of a server you would need to firstly identify who you are to that server. The primary server (ie the site we want to add the code to) shouldn't have the credentials for the external sites as far as I can see. – Chris Jan 14 '11 at 13:18
0

Why don't you send those requests from the server just before signing out? There you have all the necessary context information from the client (like authentication cookies, etc...) which could be delegated to the remote sites when performing the request. If you don't care about the response you could fire those requests in separate threads to avoid blocking the client.

Darin Dimitrov
  • 1,023,142
  • 271
  • 3,287
  • 2,928
  • In fact, you have to do this if you want to handle session timeouts (i.e. You can't always rely on the user to click the logout link). – James Morcom Jan 14 '11 at 10:14
  • I would really hope that you don't have the user's cookies for these remote sites... That would imply a *massive* security hole somewhere. :) – Chris Jan 14 '11 at 10:49
  • Surely I can't send the request from the server, can I? I didn't realise that was possible, how would I ensure that the server received all the relevant context info? – Mantorok Jan 14 '11 at 11:36
  • Sure you can send http requests from code (see the WebClient class in .net) but yes it won't appear to the external site as a request from your user's browser. It really depends what you're trying to do here. Can you provide more information? Are the external sites out of your control? – James Morcom Jan 14 '11 at 12:03
  • Well, the requests will log the user out of other systems that are not in our control, this is why it needs to ideally be done from the users session as it will be their login that needs to be logged off. – Mantorok Jan 14 '11 at 12:15
  • @Mantorok, just use Fiddler to capture all the necessary request headers and then you could forge any request you like so that to the external site it looks as if the request is coming from the user. The only thing you cannot change is the IP address of the request. From the perspective of the external site all requests will come from your server instead of the users. – Darin Dimitrov Jan 14 '11 at 12:36
  • @Darin Dimitrov: the cookies needed to identify a user to a remote server will change on a per user basis and the base website will have no access to them. He could access a logout page on a remote server but unless that took a username as a parameter (which I doubt it would) then it wouldn't be able to identify which user to log off. – Chris Jan 14 '11 at 13:14
0

Check this question: How to send http request in asp.net without waiting for a response and without tying up resources

Community
  • 1
  • 1
StefanE
  • 7,578
  • 10
  • 48
  • 75