Basic Authentication logout Issues

A quite interesting bit of work I am doing at the moment is building an AngularJS app running on an IBM ISeries, this has presented a whole series of odd little challenges but the one that bit us hard by corporate standards was logout and session expiring, The system and its sessions are on an Apache box sitting on an ISeries, it has turned out that not only was the Apache logout URL not present but that the Apache session expiry did not take effect1.

So what to do….

I have done a nasty little JavaScript solution but one I think fits the circumstances.

  1. As this is for an AngularJs app, no jquery or such
  2. I did not want this solution to actually be built into the angularjs app, as in a perfect world the underling issues will be fixed and I want it easily ripped out, also I don’t want the code mentioned in each controller etc etc.
  3. The server that the app is running on has no facility to handle log off and does not have session based authentication (or even a login page)

Basic authentication does not really handle log off very well. For everything but Internet explorer you basically have to perform a fake login.

function detectIE() {
    var ua = window.navigator.userAgent;
    console.log('In detectIE');
    var msie = ua.indexOf('MSIE ');
    if (msie > 0) {
        console.log('IE 10 or older');
        // IE 10 or older => return version number, but I just want true
        //return parseInt(ua.substring(msie + 5, ua.indexOf('.', msie)), 10);
        return true;
    }
    var trident = ua.indexOf('Trident/');
    if (trident > 0) {
        console.log('IE 11');
        // IE 11 => return version number, but I just want true
        var rv = ua.indexOf('rv:');
        //return parseInt(ua.substring(rv + 3, ua.indexOf('.', rv)), 10);
        return true;
    }
    var edge = ua.indexOf('Edge/');
    if (edge > 0) {
        console.log('Edge (IE 12+)');
        // Edge (IE 12+) => return version number, but I just want true
        //return parseInt(ua.substring(edge + 5, ua.indexOf('.', edge)), 10);
        return true;
    }
    // other browser
    return false;
}
function ClearAuthentication(LogOffPage)
{
    if (!LogOffPage) {
        LogOffPage = location.pathname;
    }
    if (detectIE() == true)
    {
        console.log('In IE');
        // Logoff Internet Explorer
        document.execCommand("ClearAuthenticationCache");
        window.location = LogOffPage;
    }
    else
    {
        console.log('Not IE');
        var xhr = new XMLHttpRequest();
        xhr.open('GET', location.pathname);
        xhr.setRequestHeader('Authorization','Basic XXXXXXXXXXXXXXXX');
        xhr.onload = function() {
            if (xhr.status === 200) {
                console.log('did not log you off');
            }
            else {
                console.log('should be logged out')
                window.location = LogOffPage;
            }
        };
        xhr.send();
    }
}

Followed by a very iffy 30 min log off timer, that surprising works rather well

var inactivityTime = function () {
    var t;
    window.onload = resetTimer;
    // DOM Events
    document.onmousemove = resetTimer;
    document.onkeypress = resetTimer;
    function logout() {
        ClearAuthentication();
    }
    function resetTimer() {
        clearTimeout(t);
        t = setTimeout(logout, 1800000)
        // 30 min till logout
    }
};
(function() {
    inactivityTime();
})();

 

FootNotes
  1. but even if it had, it would have screwed up the Internal application that most people use to have an Iseries Session via a browser.[]

Leave a Reply

Your email address will not be published. Required fields are marked *