Using HTTP Module for SharePoint 2007 (MOSS/WSS) site using FBA And RSA

  • Article

Requirement: I am using WSS site with Form Based Authentication (FBA) with a custom login page which reads username from RSA cookie and calls the FormsAuthentication.RedirectFromLoginPage method. So that user does not have to re-enter the credentials.

Problem comes up when the user clicks the “Sign Out” or “Sign in as a Different User” links and redirected to the login page. When the user is redirected to the login page, it detects the RSA authentication cookie still exists and logs the user back in.

So all we need is to remove the RSA cookie somehow before they redirected to login page.

One solution (work-around) for this issue I found is by using HTTP Module.

Whenever you do a logout or sign as a different user, SharePoint takes you to these 2 pages:

/_layouts/SignOut.aspx

And

/_layouts/AccessDenied.aspx

Now I have created a HTTP Module to handle it. The code goes like:

using System;

using System.Web;

using System.Web.UI;

using System.IO;

public class LogoutModule : IHttpModule

{

    public void Init(HttpApplication app)

    {

        app.PreRequestHandlerExecute += new EventHandler(app_PreRequestHandlerExecute);

    }

    void app_PreRequestHandlerExecute(object sender, EventArgs e)

    {

       

        HttpContext context = HttpContext.Current;

        if (context.Request.Path.Contains("/_layouts/SignOut.aspx") || context.Request.Path.Contains("/_layouts/AccessDenied.aspx"))

        {

            // Code to remove RSA cookie goes here

        }

    }

   

    public void Dispose()

    {

    }

}

There could be better and easier solution for this. Please let me know your ideas.

 

Update Note: There is minor modification in the code above, thanks to Andy Spears

 

//see if the user clicked the "Sign in as a different user" or "Sign Out" menu options

if ( context.Request.Url.PathAndQuery.ToLower( ).Contains( "/_layouts/accessdenied.aspx?loginasanotheruser=true" ) || context.Request.Path.ToLower( ).Contains( "/_layouts/signout.aspx" ) )

{

// Code to remove RSA cookie goes here

}

I had to look for the “loginasanotheruser” url parameter, otherwise whenever a user accessed a page they didn’t have permissions on, they would be logged out.