CODEWITHSUNDEEP
asp.netsecuritypostportal
Anyname Donotcare
Anyname Donotcare

Reputation: 11403

How to logout from all the opened web applications through the logout button in the portal?

I i use the post method to open different web sites through my portal like this :

In my portal main page :

<form method="post" target="_blank" action="">
<input id="Hdn_r" name="Hdn" type="hidden" value="55622"> 
.....
</form>

then in the main page of any site opened through the portal i do the following check :

var hr = HttpContext.Current.Request.UrlReferrer;
        if (hr != null && !string.IsNullOrEmpty(hr.AbsolutePath))
        {
            if (Request.UrlReferrer.AbsolutePath.Contains("Portal"))
            {

                if (Request.Form["Hdn_r"] != null && !string.IsNullOrEmpty(Request.Form["Hdn_r"].ToString())
                   && Request.Form["Hdn_a"] != null && !string.IsNullOrEmpty(Request.Form["Hdn_a"].ToString()) &&
                   Request.Form["Hdn_b"] != null && !string.IsNullOrEmpty(Request.Form["Hdn_b"].ToString()) &&
                   Request.Form["Hdn_c"] != null && !string.IsNullOrEmpty(Request.Form["Hdn_c"].ToString())
                   )
                {

                  Session["emp_num"]= int.Parse(Request.Form["Hdn_r"].ToString());
                //...........

My question is :

How to logout from all the opened web sites through one click in the logout button in my portal ?

Say i open three web sites through my portal , i want when i logout(in the portal) to log me out from all the opened applications ?

Note: the different web sites in the portal published in different servers .

Upvotes: 5

Views: 1841

Answers (6)

Falco
Falco

Reputation: 3416

Do you really have a concept of what it means to be "logged in" ?

As far as I can see your user is just logged in, via a hidden Session variable - so as soon as he closes the browser window of any of these pages, he is no longer logged in. Because if he would open the page again without the hidden session Variable he is not logged in.

I would proceed like most SSO-Solutions (e.g. Shibboleth) - There is no such thing as "Log out" you have an active Session, in which you are identified as a certain User by a SSO Service verifying your credentials - when you close this session and open a new one, you have to be verified again. If you are not verified again, you visit the page as an anonymous User in the new Session which is - as far as user experience is concerned the same as being 'logged out'

A logout is usually just the deletion of a cookie (if cookies are in use, and even then not always) and invalidating the current session-token on the server. But this is not true for many services (especially single-sign-on-solutions) which just make the User believe he has 'logged out' by resetting him to a new session, where he is not yet verified by the SSO-Server.

Upvotes: 2

MK.
MK.

Reputation: 5149

Without going into the details of your implementation approach, you can open a new window by name and make its name as your form target (sample), you need to do the following changes:

  1. Update your login button to post using javascript:

    // holds the list of opened websites, used later for logout.
var openedWebsites = [];

function login(siteName) {
  openedWebsites.push(siteName);
  var windowName = siteName + "_window";
  //assuming you name your forms as "{sitename}_loginForm"
  var loginForm = siteName + "_loginForm";

  var form = document.getElementById(loginForm);
  form.target = windowName;
  window.open("",windowName);
  form.submit();
}

  2. Then make your logout button post a logout request to each window:

    function logout(){
  for(var x=0;x<openedWebsites.length;x++){
    var siteName = openedWebsites[x]; 
    var windowName = siteName + "_window";
    //assuming you name your forms as "{sitename}_logoutForm"
    var logoutForm = siteName + "_logoutForm";

    var form = document.getElementById(logoutForm);
    form.target = windowName;
    form.submit();
    }
}

Upvotes: 1

bedomon
bedomon

Reputation: 350

the first question is how do you manage your connection. ?

One thing could be a status flag that is check in a front controller of any page, and if the flag is false you redirect to login page and you kill all the session data.

Upvotes: 2

Biby Augustine
Biby Augustine

Reputation: 425

You couldn't get Session of one website in another one. Different websites have different session states. Also if you want to resolve above problem, then make use of Cookies in your application. Cookies details are stored in browser and that can be globally accessible for all websites. When you are logging into your portal create a cookie with your login credentials and if when you click on any website link that provided on your website portal, use your cookie information to logging in. Finally if you click on any logout button clear your cookie information. Just try this.

Upvotes: 2

Kuzgun
Kuzgun

Reputation: 4737

Create a logout page in all your websites. Then, when you want to logout, call those logout pages with ajax. Or make httprequests to that logout pages. You cannot logout directly because they are not on same domain and one site cannot alter session of another site.

Upvotes: 4

cubitouch
cubitouch

Reputation: 1937

Why don't you try making the right POST requests targeting all you websites, in order to loggout programmatically ?

See http://msdn.microsoft.com/en-us/library/system.net.httpwebrequest(v=vs.110).aspx

Upvotes: 2

Related Questions