|Applies To||Web Page is protected by RSA Web Agent 7.1|
|Issue||Users wishes to automatically logout of their application. This may for example be Outlook Web Access|
User clicks on the logout page in their application but when they use the back button they are still able to access a protected resource
|Cause||As stated in the Implementation and Configuration Guide:|
A user could experience the following browser issues while accessing protected
? Both Internet Explorer and Firefox maintain a single browser session across
multiple instances of the browser. If a user has successfully authenticated onto a
protected resource in one instance of the browser, as long as that instance remains
open, all other instances of the browser share the same authentication cookie.
Therefore, the user does not have to authenticate again in any other instances of
the browser to access protected resources.
To exit the browser session, users must close all instances of the browser.
? When a user clicks the [RSA]logoff URL, it automatically invalidates the user?s web
access authentication cookies and prompts the user to authenticate.
|Resolution||The user can add the following to their logout web page so that after 10 seconds, the RSA logout page will automatically be loaded and the user logged of.|
Put the following on the applications logout page between the <head> html tags
<meta http-equiv="refresh" content="10;URL='https://www.myserver.com/WebID/IISWebAgentIF.dll?logoff?referrer='">
(Note that there are single quote ' around the URL here, with " " around the whole string after content=
It is also important to change www.myserver.com to the name of the server.
This logoff URL works only if you have not selected the "Use RSA Token for Cross-Site Request Forgery Protection"
|Legacy Article ID||a59424|