English

Bug: Reopening a secured web application from ArcGIS Server Manager does not require login

Description

** This bug has been fixed at ArcGIS 9.3 Service Pack 1. **

In ArcGIS Server 9.3, a secured Web application opened from Manager may not display the login page, but instead open directly to the main page. This only occurs when (a) the security user store has been configured to SQL Server or a custom provider in Manager, (b) the Web application has been secured in Manager, and (c) the Web application was opened previously from the same browser session. In this case, the application will not redirect the user to the login page, even if the user logged out in the previous viewing of the application.

Cause

Logging out of the Web Mapping Application does not remove the authorization cookie from the browser. This allows the user in the same browser session to return to the application without logging in.

Workaround

To ensure the login page is displayed when the user re-enters the Web Mapping Application, do one of the following actions.

· After logging out of the Web Mapping Application, close the browser window for the application and for Manager, along with any other windows opened from the same session. For Firefox, close all Firefox browser windows (all Firefox windows share the same session). Then open a new browser window with the Web Mapping Application.

· If it is essential that the user be completely logged out of the Web Mapping Application, modify the application code as follows:

a) Using a text editor such as, Notepad or a development environment such as, Visual Studio, open the Default.aspx.cs or Default.aspx.vb file in the application.

b) Find the following line, inside the CleanUp() method of the file:

HttpContext.Current.Session.RemoveAll()

Add the following line immediately after the above line.

For C#, add this line:

FormsAuthentication.SignOut();

For Visual Basic (VB), add this line:

FormsAuthentication.SignOut()

c) Save the file. Now, if the application is restarted from Manager after logging out, the user will be required to log into the application