000017151 - Users wishes to logout of their web application automatically.

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000017151
Applies ToWeb Page is protected by RSA Web Agent 7.1
IssueUsers wishes to automatically logout of their application. This may for example be Outlook Web Access
User clicks on the logout page in their application but when they use the back button they are still able to access a protected resource
CauseAs stated in the Implementation and Configuration Guide:

A user could experience the following browser issues while accessing protected
? Both Internet Explorer and Firefox maintain a single browser session across
multiple instances of the browser. If a user has successfully authenticated onto a
protected resource in one instance of the browser, as long as that instance remains
open, all other instances of the browser share the same authentication cookie.
Therefore, the user does not have to authenticate again in any other instances of
the browser to access protected resources.
To exit the browser session, users must close all instances of the browser.
? When a user clicks the [RSA]logoff URL, it automatically invalidates the user?s web
access authentication cookies and prompts the user to authenticate.
ResolutionThe user can add the following to their logout web page so that after 10 seconds, the RSA logout page will automatically be loaded and the user logged of.

Put the following on the applications logout  page between the <head> html tags

 <meta http-equiv="refresh" content="10;URL='https://www.myserver.com/WebID/IISWebAgentIF.dll?logoff?referrer='">

 (Note that there are single quote ' around the URL here, with " " around the whole string after content=

 It is also important to change www.myserver.com to the name of the server.

This logoff URL works only if you have not selected the "Use RSA Token for Cross-Site Request Forgery Protection"

Legacy Article IDa59424