Bug
After launching a secured Web Mapping Application from Manager and logging in and logging out, launching the application again from Manager does not challenge for credentials.
| Bug ID Number | NIM035635 |
|---|---|
| Submitted | May 27, 2008 |
| Last Modified | June 5, 2024 |
| Applies to | No Product Found |
| Version found | 9.3 |
| Version Fixed | N/A |
| Status | Fixed |
Description
** Internal Publish Only! This article may contain information that is not intended for external circulation. **
**This bug has been fixed at ArcGIS 9.3 Service Pack 1.**
Web Mapping Applications created with ArcGIS Server for the Microsoft .NET Framework may be secured to require a user login. The login uses a form on a Web page (login.aspx) when users are stored in Microsoft SQL Server or in a custom .NET provider. When the user clicks the log out link on the application page, the browser redirects to the login.aspx page.
However, the user's authentication for the Web site has not been removed from the browser. This allows the user to enter the URL for the application (default.aspx) and re-enter the application without logging in.
This represents a potential security vulnerability, particularly on publicly accessible computers. If a user logs out of the Web Mapping Application, leaves the browser running, and leaves the computer, another person could use the browser to return to the application and use it without providing a login. This would only occur if the session had not timed out (typically 30 minutes after the last activity on the site).
Cause
The Web Mapping Application does not remove the authentication cookie from the application when the user clicks the logout link on the page.Workaround
To ensure the login page is displayed when the user re-enters the Web Mapping Application, do one of the following actions.
· After logging out of the Web Mapping Application, close the browser window for the application and for Manager, along with any other windows opened from the same session. For Firefox, close all Firefox browser windows (all Firefox windows share the same session). Then open a new browser window with the Web Mapping Application.
· If it is essential that the user be completely logged out of the Web Mapping Application, modify the application code as follows:
a) Using a text editor such as, Notepad or a development environment such as, Visual Studio, open the Default.aspx.cs or Default.aspx.vb file in the application.
b) Find the following line, inside the CleanUp() method of the file:
HttpContext.Current.Session.RemoveAll()
Add the following line immediately after the above line.
For C#, add this line:
FormsAuthentication.SignOut();
For Visual Basic (VB), add this line:
FormsAuthentication.SignOut()
c) Save the file. Now, if the application is restarted from Manager after logging out, the user will be required to log into the application
· After logging out of the Web Mapping Application, close the browser window for the application and for Manager, along with any other windows opened from the same session. For Firefox, close all Firefox browser windows (all Firefox windows share the same session). Then open a new browser window with the Web Mapping Application.
· If it is essential that the user be completely logged out of the Web Mapping Application, modify the application code as follows:
a) Using a text editor such as, Notepad or a development environment such as, Visual Studio, open the Default.aspx.cs or Default.aspx.vb file in the application.
b) Find the following line, inside the CleanUp() method of the file:
HttpContext.Current.Session.RemoveAll()
Add the following line immediately after the above line.
For C#, add this line:
FormsAuthentication.SignOut();
For Visual Basic (VB), add this line:
FormsAuthentication.SignOut()
c) Save the file. Now, if the application is restarted from Manager after logging out, the user will be required to log into the application
Steps to Reproduce
Bug ID: NIM035635
Software:
- No Product Found
Get notified when the status of a bug changes
Discover more on this topic
Search for related information
Find training related to this topic
Explore ideas and give feedback
Get help from ArcGIS experts
Download the Esri Support App