Using HTTP Module for SharePoint 2007 (MOSS/WSS) site using FBA And RSA

Requirement: I am using WSS site with Form Based Authentication (FBA) with a custom login page which reads username from RSA cookie and calls the FormsAuthentication.RedirectFromLoginPage method. So that user does not have to re-enter the credentials.

Problem comes up when the user clicks the “Sign Out” or “Sign in as a Different User” links and redirected to the login page. When the user is redirected to the login page, it detects the RSA authentication cookie still exists and logs the user back in.

So all we need is to remove the RSA cookie somehow before they redirected to login page.

One solution (work-around) for this issue I found is by using HTTP Module.

Whenever you do a logout or sign as a different user, SharePoint takes you to these 2 pages:

/_layouts/SignOut.aspx

And

/_layouts/AccessDenied.aspx

Now I have created a HTTP Module to handle it. The code goes like:

using System;

using System.Web;

using System.Web.UI;

using System.IO;

public class LogoutModule : IHttpModule

{

    public void Init(HttpApplication app)

    {

        app.PreRequestHandlerExecute += new EventHandler(app_PreRequestHandlerExecute);

    }

    void app_PreRequestHandlerExecute(object sender, EventArgs e)

    {

       

        HttpContext context = HttpContext.Current;

        if (context.Request.Path.Contains("/_layouts/SignOut.aspx") || context.Request.Path.Contains("/_layouts/AccessDenied.aspx"))

        {

            // Code to remove RSA cookie goes here

        }

    }

   

    public void Dispose()

    {

    }

}

There could be better and easier solution for this. Please let me know your ideas.

 

Update Note: There is minor modification in the code above, thanks to Andy Spears

 

//see if the user clicked the "Sign in as a different user" or "Sign Out" menu options

if ( context.Request.Url.PathAndQuery.ToLower( ).Contains( "/_layouts/accessdenied.aspx?loginasanotheruser=true" ) || context.Request.Path.ToLower( ).Contains( "/_layouts/signout.aspx" ) )

{

// Code to remove RSA cookie goes here

}

I had to look for the “loginasanotheruser” url parameter, otherwise whenever a user accessed a page they didn’t have permissions on, they would be logged out.

Comments

  • Anonymous
    December 13, 2007
    HI, I have one doubt about http module. I want to create one http module for my sharepoint site, then how can we implement the functionality in our sharepoint site Thanks Maria

  • Anonymous
    February 07, 2008
    SharePoint 2007 (MOSS/WSS) FBA and RSA Unanswered Questions Since my last post Using HTTP Module for

  • Anonymous
    February 07, 2008
    Since my last post Using HTTP Module for SharePoint 2007 (MOSS/WSS) site using FBA And RSA , I received

  • Anonymous
    May 20, 2009
    Great solution!  My problem is slightly different.  I get a 403 Forbidden when selecting Sign Out.  The Url for SignOut.aspx includes the workspace address within the Site Collection, a location which requires authentication to access.  If I remove the workspace portion of the Url such that the Url now points to the root the page loads properly.  Thus, I am thinking that the best solution might be to use the HttpModule to redirect the page.  Is this the best/easiest way to solve the problem?  If so, do you have an example of what the redirect code might look like? Many, many thanks. Doug

  • Anonymous
    June 02, 2009
    Hi there, Since 2009, RSA provide some "RSA Solution for SharePoint". http://www.rsa.com/sharepoint This supposed to include the RSA SecurID authentication method through SharePoint. Even though there is still no usefull information on how to do that. RSA is pretty much easy to integrate with ISA 2006. But there is no walkthrough to forward the authentication to the sharepoint website using the ISA publication rule and no SharePoint FBA but just Windows authentication. Anyone does have any update on this ? Regards, Etienne.

  • Anonymous
    August 31, 2010
    can you redirect me to steps on how to deploy the module ? i have tried GACing the dll and making httpmodule entry in the web app. the module seems to work but not completely. I mean when i attach the debugger, it is able to show me that handler has caught the event, but nothing happens after that. it just comes out doing nothing

  • Anonymous
    September 08, 2010
    Did you guys have a chance to run InfoPath forms (which calls custom web services to load data), after deploying any HTTP Module in WSS 3.0 or MOSS 2007 environment. I have written an HTTP Module to automate migration of users from one domain to another. the module works fine (kicks in after AuthenticateRequest() event). but the forms are showing up this error. when i remove all web service calls from the form, the forms render without any error.... when i remove my HTTP Handler and then deploy my forms (with all custom web service calls) the forms start working again! any ideas?

  • Anonymous
    December 08, 2010
    I also have to do the same can you provide the code for removing rsa cookie