0

In my web app I have basic authentication, and login and logout are working successfully in all pages, except in a specific public page where I'm requesting in body a resource (an image) protected by authorization.
If I call this page after logout, in the request for this image I get an unauthorized error (401) with browsers Firefox, Chrome, IE11. The difference is that while Firefox and Chrome show me the realm popup asking credentials, IE doesn't ask me anything.
Not asking for credentials means that credentials remain saved in browser; in my application I set a flag for sent asking credentials; sequentially I can call a protected page without insert of credentials.

So I chose to clear basic authentication credentials, but I don't like this solution:

document.execCommand("ClearAuthenticationCache");

Is there a way to force IE to asking credentials also for a resource in body?

Matteo Gallinucci
  • 38
  • 1
  • 5

1 Answers1

0

There's a post discussing different options to clear IE's credential cache. And there's an article about configuring IE to prompt for credentials. I summarize three ways:

  • Programmatically send a 401 HTTP status to the client (e.g. Response.Status = 401).
  • Redirect a user to http://fakeuser:wrongpassword@www.yoursite.com. Since fakeuser/wrongpassword isn't a valid Windows account, the user will be prompted to enter valid credentials.
  • In the Security tab of Internet Options (IE -> Tools/Gear Icon -> Internet Options), select the appropriate zone for your set and go to the Custom level. Scroll all the way down to User Authentication and select the button beside Prompt for user name and password.

There's also an article about how IE will resend credentials and an article about Internet Explorer prompt for a password, you can also refer to them for further information.

Yu Zhou
  • 11,532
  • 1
  • 8
  • 22
  • Thanks Yu, the [first post](http://www.adopenstatic.com/cs/blogs/ken/archive/2005/04/12/14.aspx) convinced me to avoid ClearAuthenticationCache, because "this will clear the credentials cache for the entire iexplore.exe process, so users will be forced to re-authenticate to any site being accessed by that process (in case they have multiple windows open pointing to multiple websites)". – Matteo Gallinucci Jun 25 '19 at 08:25
  • I tried to change IE Options setting to "Prompt for user name and password" for all levels, but it continues to not ask credentials for the image. I tried to send a 401 response for an ajax request called on page ready, but it doesn't delete cached credentials. It seems that IE deletes credentials only for a 401 got by a request made directly from the address bar. Do you know how can I recognize in java if the request is coming from the address bar or if is coming from a resource declared in body? – Matteo Gallinucci Jun 25 '19 at 08:34
  • I haven't used java, but I find some threads related to your question: [thread1](https://stackoverflow.com/questions/4885893/how-to-differentiate-ajax-requests-from-normal-http-requests), [thread2](https://stackoverflow.com/questions/14621539/how-to-determine-whether-a-request-is-ajax-or-normal), you can check them. – Yu Zhou Jun 26 '19 at 07:05