Hi Douglas, > In our case we land the user at a login page which handles the httpAuth send > avoiding > the nasty dialog. > If the user is not authenticated they do not get in. No problem there. > If the user is authenticated then they are taken to the application (written > in Angular) > At some point they will click the logout button/link and this would cause the > session to > close (WEB CLOSE SESSION) and they are redirected to the login page.
Nearly the same what we do. I don't see a problem here. > If they then typed in the index of the application index.shtml file the > browser was still > passing in the old username and password so the client was getting through > the On > Web Authentication and was issued with a new session ID and could use the > system as > before the logout. That's a bit strange and I don't understand it fully. Only one guess: You mentioned Angular as the web framework (some call it platform, anyway). I don't know the architecture of your web app, but it seems the problem is buried there. With Angular you produce so-called single page applications (SPA). That means that all the data entered are stored in the front end. Angular works with scopes, where the data is stored. So I think you have a scope containing the user credentials and if you go back to your start page this credentials are there in this scope yet. The start page isn't really a new page since you have single page application. What you have to do is deleting them or destroying the scope after sending the credentials to server. Your current solution (see below) tries to locate the problem in the backend/the server. But I'm quite sure the problem is related to your frontend code and has nothing to do with 4D. And for security reasons it is better to delete the credentials immediately after the login request, whether it is successful or not. Disclaimer: This hint is a guess as I said already since I don't know enough about your application. Regards Lutz > What I have done today is when the logout happens I now place a call using JS > from > the logout page with invalid (null) credentials which causes the username and > password > to be cleared. Having carried out significant testing we have not been able > to get back > in to an application page following a log out using this method. > > Regards, Dougie ********************************************************************** 4D Internet Users Group (4D iNUG) Archive: http://lists.4d.com/archives.html Options: https://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com **********************************************************************
