2

The requirements are:

After the Session clears, send the user back to the homepage, and force them to re-login using the Windows Authentication prompt.

Current situation:

I have a javascript countdown timer that when it hits 0, sends an alert saying the session is over. What I want to be able to do is either through Javascript or a Postback to the server, clear the user's credentials

What I've read/tried:

AJAX post to server setting HttpContext.Response, and throwing a HttpException(401)

    [HttpPost]
    public ActionResult ForceRelogin()
    {
        //HttpContext.Response.StatusCode = 401;
        //HttpContext.Response.End();
        //return RedirectToAction("Index", "Home");
        //throw new HttpException(401, "");
        return new HttpStatusCodeResult(HttpStatusCode.Unauthorized);
    }

Neither of these seem to work with AJAX, and I'm unsure of how to cause a regular post back to a controller action that doesn't involve a submit.

Question:

How do I force users to re-authenticate their windows authentication credentials, without using Active-X or changing their IE settings? Bonus Question: How do you postback from javascript to an MVC controller action without using submit or AJAX?

kudos-dude
  • 61
  • 2
  • 9
  • I don't know MVC so mutch but have you tried to do a response with [HttpStatusCodeResult](http://msdn.microsoft.com/en-us/library/system.web.mvc.httpstatuscoderesult(v=vs.98).aspx) with 401 (Unauthorized)? – Vitor Canova May 08 '13 at 15:58
  • I have, and just tried it again to no effect. I'm thinking that part of my problem is that I'm doing an AJAX call which is eating any kind of exception I throw from it. Obviously I haven't seen this work yet, so it could be something else I'm doing wrong. – kudos-dude May 08 '13 at 16:08
  • Just to be sure. You tried to return HttpStatusCodeResult instead of throw the exception in tour example, right? If yes, maybe you can verify the status code in you js callback. If it is 401 redirecto to logon maybe "do the trick". – Vitor Canova May 08 '13 at 16:16
  • Ah I see what you mean, I did a return of a HttpStatusCodeResult with Code.Unauthorized, still to no effect. I'm still thinking it's getting eaten by the AJAX call, when I want it to hit the browser. Is there another way besides AJAX that I can call this controller action from Javascript? – kudos-dude May 08 '13 at 16:23
  • Sorry, I don't know MVC that much. ;) – Vitor Canova May 08 '13 at 16:29
  • You could set the window.location = "http://foo.com/Controller/Action" via javascript? That should force the users browser to hit your action. If you need your action to be a post though you would have to embed an html form element onto your page and then submit it via javascript. – ctrlplusb May 29 '13 at 12:55

1 Answers1

0

Below are some examples of my comment.

If you could get away with a GET request -

Controller:

[HttpGet]
public ActionResult ForceRelogin()
{
    // Would you maybe just throw a new unauthorized HttpException exception?
    // throw new HttpException(401, "Forbidden");
    // But try to invalidate the session and then do a redirect to the login page
    return new HttpStatusCodeResult(HttpStatusCode.Unauthorized);
}

Javascript:

<script type="text/javascript">
   ...

   var redirectToLogin = function() { 
      window.location.href = "http://foo.com/login/ForceRelogin";
   }

   ...
</script>

OR if you needed to do it with a POST, then do: Controller:

[HttpPost]
public ActionResult ForceRelogin()
{
    // Would you maybe just throw a new unauthorized HttpException exception?
    // throw new HttpException(401, "Forbidden");
    // But try to invalidate the session and then do a redirect to the login page
    return new HttpStatusCodeResult(HttpStatusCode.Unauthorized);
}

Javascript & Html:

<script type="text/javascript">
   ...

   var redirectToLogin = function() { 
      var form = document.getElementById("formFoo");
      form.submit();
   }

   ...
</script>

<form id="formFoo" action="http://foo.com/login/ForceRelogin">
   ...
</form>

I am not entirely sure how you would invalidate the user session though? Returning an unauthorized error code may help you redirect to the login page, but the user could press the back button and then continue to browse on. If this isn't a concern for you then you may as well just redirect the user to the login page directly. I did find this post, and perhaps you may need to follow a similar approach, basically it involves sending an invalid login attempt: Logging a user out when using HTTP Basic authentication

Community
  • 1
  • 1
ctrlplusb
  • 12,167
  • 5
  • 54
  • 57