How to invalidate credentials in Basic Authentication

[MikeL]

Hello.

I have a site that uses Basic Authentication (with SSL).

The user has an option within the site to change their password. Since this
affects their domain account the user no longer can access the site after
they change their password. They have to close the browser and then log on
again in a new browser session, and enter their new password at the Windows
logon prompt.

Two questions:

1) After the code commits the password change to AD is there some way to
change the user's credentials (in the credential cache, is that where it's
located?) to reflect the new password so that the user can continue using
the site?

2) Is there a way to remove the current credentials (again, from the
credential cache?) so that I can redirect them to the default page, which
would then prompt them for the user ID and (new) password? This would be my
second choice.

Thanks in advance,

Mike

 

[Paul Clement]

¤ Hello.
¤
¤ I have a site that uses Basic Authentication (with SSL).
¤
¤ The user has an option within the site to change their password. Since this
¤ affects their domain account the user no longer can access the site after
¤ they change their password. They have to close the browser and then log on
¤ again in a new browser session, and enter their new password at the Windows
¤ logon prompt.
¤
¤ Two questions:
¤
¤ 1) After the code commits the password change to AD is there some way to
¤ change the user's credentials (in the credential cache, is that where it's
¤ located?) to reflect the new password so that the user can continue using
¤ the site?
¤
¤ 2) Is there a way to remove the current credentials (again, from the
¤ credential cache?) so that I can redirect them to the default page, which
¤ would then prompt them for the user ID and (new) password? This would be my
¤ second choice.

If you're using Basic authentication the credentials are cached in the browser, so I believe the
answer would be no. What should happen is that the user is prompted with a new logon dialog the next
time they attempt to access a secured resource.


Paul
~~~~
Microsoft MVP (Visual Basic)

 

[MikeL]

Hi, Paul. Thanks for the response.

I'm curious about something. I noticed that Outlook Web Access has a "Log
Off" button. As part of my site I provide a link to the user's Exhange
mailbox, which is simply a link to OWA, and it opens in a new window. If the
user clicks the Log Off button and returns to the launching page, the user
has to sign on again.

So, it seems as though OWA is doing excatly what I wish to do. What do you
think OWA's Log Off button does?

Thanks again,

Mike

 

[Dominick Baier [DevelopMentor]]

Hello Mikel,

you can either issue a 401 back to the client or IE6 SP1 and up supports
this JavaScript command

document.execCommand(ClearAuthenticationCache, false)

 

[paulsomm]

"I'm curious about something. I noticed that Outlook Web Access has a
"Log
Off" button. As part of my site I provide a link to the user's Exhange
mailbox, which is simply a link to OWA, and it opens in a new window.
If the
user clicks the Log Off button and returns to the launching page, the
user
has to sign on again.

So, it seems as though OWA is doing excatly what I wish to do. What do
you
think OWA's Log Off button does? "


MikeL, if you notice, OWA tells you to close your browser to complete
the logoff. What it does when you click "logoff" is it invalidates
your session, but I.E. still has your credentials cached until it is
closed. If you change your password via OWA, you also have to close
your browser and log back in with the new password for that change to
be noticed.

If you have access to the OWA server, you can look at the code it uses
for OWA if you want to see the details of what's going on.