-1

If I have an Asp.NET Core 2.1 Website set up using Windows Authentication how do I sign a user out who has signed in using Windows Authentication?

I saw this post but it was asked in 2009. Just wondering if signing out a windows user is now possible.

Pankwood
  • 1,799
  • 5
  • 24
  • 43
duck
  • 747
  • 14
  • 31
  • What do you actually mean by "sign user out"? The *user* hasn't signed out of his machine. "Signing out" for a web application means "terminating the session". The question is asking for the wrong thing – Panagiotis Kanavos Jul 25 '18 at 13:28
  • You can terminate the user session in the same way you would in any web application. By setting a timeout, by the user's explicit action like clicking on a `Sign out` button or by a Javascript action when a page is closed – Panagiotis Kanavos Jul 25 '18 at 13:30
  • *Why* are you asking about signing out a Windows user? What is the *actual* problem you want to solve? Store a `sign out` date? End the user's session? Track online status? Something else? Remember, HTTP is *stateless*, the only thing that tracks sign-in/out status is the application itself – Panagiotis Kanavos Jul 25 '18 at 13:38
  • @PanagiotisKanavos I was curious about it because the users who would be using this site have two different window's accounts: one normal, one admin. I was hoping to make their lives easier by detecting which account they used and say "hey this is the wrong account, click here to sign out and sign back in using the correct account." As of right now it does say that message, I was just hoping to make it easier for them by offering the sign in screen again. – duck Jul 25 '18 at 13:47
  • Are you asking about Windows authentication or Forms authentication against AD perhaps? In the first case there's no signing in to sign out from. The second case is simply Forms authentication against an AD store instead of eg a database. – Panagiotis Kanavos Jul 25 '18 at 13:47
  • You *don't* have to detect anything, the application *already* knows it. That's what's great about Windows authentication. You can display the signed-in name with a simple `@(User.Identity.Name)`. You can use `User.IsInRole()` to check whether a user belongs to a specific role or group – Panagiotis Kanavos Jul 25 '18 at 13:50
  • I thought maybe there was a way to terminate the authentication but after reading this thread it makes sense that it's not really possible. I'll look into restarting the browser flow somehow. Thank you! – duck Jul 25 '18 at 14:01
  • `I was just hoping to make it easier for them by offering the sign in screen again.` That's a bit different. Windows authentication with the browser making an anonymous request to the web site and the site responding with a 401 and a WWW-Authenticate header of Negotiate, NTLMchallenge. The browser then sends a token as the `Authorization` header. You can see that if you use eg Fiddler. Browsers that aren't configured to automatically authenticate will display their own login form – Panagiotis Kanavos Jul 25 '18 at 14:03

2 Answers2

2

Short Answer: No.

You would need to use Forms Authentication. The Windows Authetication flow has not changed since that question was posted.

If you do not want to move to Form Authentication you could create your own form of "Logging Out" by mananging a logged on bool in the database for that user and then returning 401 Unauthorized. I strongly advise not doing that and you should implement Forms Authentication.

Riddell
  • 1,429
  • 11
  • 22
  • 1
    There's nothing to sign out from. The user hasn't logged out from *Windows*, so any attempt to open a web app is always valid. Signing out from a web application typically means "terminate the session" – Panagiotis Kanavos Jul 25 '18 at 13:28
  • @PanagiotisKanavos What? It's still possible to handle it that way. You handle it on the server side by blocking requests for that user based on database value `logged on'. It's just a terrible solution and shouldn't be used. – Riddell Jul 25 '18 at 13:32
  • @Ridell what what what? That's not how Windows **authentication** works. There's no "sign in" that would require a sign out. The user is authenticated by *his/her* machine. A token is sent to the server through a request header. The server validates that token and checks whether that's an allowed user. – Panagiotis Kanavos Jul 25 '18 at 13:34
  • Block out the user, why? And for how long? After all, the request is *already* authenticated. – Panagiotis Kanavos Jul 25 '18 at 13:35
  • @PanagiotisKanavos I know exactly how it works. You're clearly not understanding what I'm saying. You can still render different page based on autheticated request. It's a hacky way and that's what I say in the answer. I find your comments really irrelevant to the both the answers on this question. – Riddell Jul 25 '18 at 13:37
1

This still stands true:

No server-side logout button will work when using "Windows" authentication. You must use "Forms" authentication if you want a logout button, or close the user's browser.

Thus you would need to use a different form of authentication if you want to be able to logout the user

Fuzzybear
  • 1,388
  • 2
  • 25
  • 42
  • 1
    There's nothing to sign out from. The user hasn't logged out from Windows, so any attempt to open a web app is always valid. Signing out from a web application typically means "terminate the session" – Panagiotis Kanavos Jul 25 '18 at 13:28