Is there a browser equivalent to IE's ClearAut

2020-01-27 01:44发布

站内问答 / 前端开发
1893 7 6

I have a few internal .net web application here that require users to "log out" of them. I know this may seem moot on an Intranet application, but nonetheless it is there.

We are using Windows authentication for our Intranet apps, so we tie in to our Active Directory with Basic Authentication and the credentials get stored in the browser cache, as opposed to a cookie when using .net forms authentication.

In IE6+ you can leverage a special JavaScript function they created by doing the following:

document.execCommand("ClearAuthenticationCache", "false")

However, for the other browsers that are to be supported (namely Firefox at the moment, but I strive for multi-browser support), I simply display message to the user that they need to close their browser to log out of the application, which effectively flushes the application cache.

Does anybody know of some commands/hacks/etc. that I can use in other browsers to flush the authentication cache?

7条回答
够拽才男人
2楼-- · 2020-01-27 02:26

Why not use FormsAuth, but against ActiveDirectory instead as per the info in this thread. It's just as (in)secure as Basic Auth, but logging out is simply a matter of blanking a cookie (or rather, calling FormsAuthentication.SignOut)

查看更多
0人赞 添加讨论(0) 举报
时光不老,我们不散
3楼-- · 2020-01-27 02:29

Mozilla implemented the crypto object, available via the DOM window object, which has the logout function (Firefox 1.5 upward) to clear the SSL session state at the browser level so that "the next private operation on any token will require the user password again" (see this).

The crypto object seems to be an implementation of the Web Crypto API, and according to this document, the DOMCrypt API will add even more functions.

As stated above Microsoft IE (6 upward) has: document.execCommand("ClearAuthenticationCache", "false")

I have found no way of clearing the SLL cache in Chrome (see this and this bug reports).

In case the browser does not offer any API to do this, I think the better we can do is to instruct the user to close the browser.

Here's what I do:

var agt=navigator.userAgent.toLowerCase();
if (agt.indexOf("msie") !== -1) {
    document.execCommand("ClearAuthenticationCache","false");
}
//window.crypto is defined in Chrome, but it has no logout function
else if (window.crypto && typeof window.crypto.logout === "function"){
    window.crypto.logout();
}
else{
    window.location = "/page/to/instruct/the/user/to/close/the/browser";
}
查看更多
0人赞 添加讨论(0) 举报
够拽才男人
4楼-- · 2020-01-27 02:29

A couple of notes. A few people have said that you need to fire off a ajax request with invalid credentials to get the browser to drop it's own credentials.

This is true but as Keith pointed out, it is essential that the server page claims to accept these credentials for this method to work consistently.

On a similar note: It is NOT good enough for your page to just bring up the login dialog via a 401 error. If the user cancels out of the dialog then their cached credentials are also unaffected.

Also if you can please poke MOZILLA at https://bugzilla.mozilla.org/show_bug.cgi?id=287957 to add a proper fix for FireFox. A webkit bug was logged at https://bugs.webkit.org/show_bug.cgi?id=44823. IE implements a poor but functional solution with the method: 

document.execCommand("ClearAuthenticationCache", "false");

It is unfortunate that we need to go to these lengths just to log out a user.

查看更多
0人赞 添加讨论(0) 举报
▲ chillily
5楼-- · 2020-01-27 02:31

I've come up with a fix that seems fairly consistent but is hacky and I'm still not happy with it.

It does work though :-)

1) Redirect them to a Logoff page

2) On that page fire a script to ajax load another page with dummy credentials (sample in jQuery):

$j.ajax({
    url: '<%:Url.Action("LogOff401", new { id = random })%>',
    type: 'POST',
    username: '<%:random%>',
    password: '<%:random%>',
    success: function () { alert('logged off'); }
});

3) That should always return 401 the first time (to force the new credentials to be passed) and then only accept the dummy credentials (sample in MVC):

[AcceptVerbs(HttpVerbs.Post)]
public ActionResult LogOff401(string id)
{
    // if we've been passed HTTP authorisation
    string httpAuth = this.Request.Headers["Authorization"];
    if (!string.IsNullOrEmpty(httpAuth) &&
        httpAuth.StartsWith("basic", StringComparison.OrdinalIgnoreCase))
    {
        // build the string we expect - don't allow regular users to pass
        byte[] enc = Encoding.UTF8.GetBytes(id + ':' + id);
        string expected = "basic " + Convert.ToBase64String(enc);

        if (string.Equals(httpAuth, expected, StringComparison.OrdinalIgnoreCase))
        {
            return Content("You are logged out.");
        }
    }

    // return a request for an HTTP basic auth token, this will cause XmlHttp to pass the new header
    this.Response.StatusCode = 401; 
    this.Response.StatusDescription = "Unauthorized";
    this.Response.AppendHeader("WWW-Authenticate", "basic realm=\"My Realm\""); 

    return Content("Force AJAX component to sent header");
}

4) Now the random string credentials have been accepted and cached by the browser instead. When they visit another page it will try to use them, fail, and then prompt for the right ones.

查看更多
0人赞 添加讨论(0) 举报
We Are One
6楼-- · 2020-01-27 02:44

Well, I've been browsing around Bugzilla for a bit now and seemingly the best way you can go for clearing the authentication would be to send non-existant credentials.

Read more here: https://bugzilla.mozilla.org/show_bug.cgi?id=287957

查看更多
0人赞 添加讨论(0) 举报
Explosion°爆炸
7楼-- · 2020-01-27 02:44

Hopefully this will be useful until someone actually comes along with an explicit answer - this issue was discussed two years ago on a message board.

HTH

查看更多
0人赞 添加讨论(0) 举报
1 2 下一页
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(6)