Microsoft KB Archive/315584

= HOW TO: Automatically Log a User Off from a Web Application =

Article ID: 315584

Article Last Modified on 6/22/2005

-

APPLIES TO


 * Microsoft Internet Explorer 5.5
 * Microsoft Internet Information Server 3.0
 * Microsoft Internet Information Server 4.0
 * Microsoft Internet Information Services 5.0

-



This article was previously published under Q315584



We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx



IN THIS TASK
SUMMARY
 * Requirements
 * Use the HTTP Response Header to Log a User Off from a Web Application
 * Use the setInterval Method to Log a User Off from a Web Application
 * Verification



SUMMARY
This article describes two methods that you can use to automatically log a user out of your Web application.

In the first method, you learn about the Refresh HTTP Response Header and how to add it to your HTML page to redirect a user to a logoff page.

In the second method, you use HTML, Active Server Pages (ASP), and Microsoft Visual Basic Scripting Edition (VBScript) to produce a more sophisticated solution by using the VBScript method setInterval.

back to the top

Requirements
The following items describe the recommended hardware, software, network infrastructure, skills, knowledge, and service packs that you need.
 * Internet Information Services (IIS) 3.0 or later.
 * Internet Explorer 4.0 or later.

You also must have knowledge of the following:
 * A working knowledge of HTML.
 * Familiarity with ASP and VBScript.

back to the top

Use the HTTP Response Header to Log a User Off from a Web Application
The first and easiest way to log a user off from a Web application is to use an HTTP response header to redirect the browser after a certain length of time.   Open a text editor, such as Notepad, and then type the following HTML content:    Redirect Demo   You will be logged out after 10 seconds  </HTML> The <META> tag redirects the browser to Logoff.htm after ten seconds (unless the user refreshes the page, or loads a different page). The page redirection occurs automatically even if the user is interacting with the page at that time. In practice, a timeout of 20 minutes (1200 seconds) is typically used with this type of redirection. </li> <li>Save this file as RedirectDemo.htm.</li> <li> Create a new file in Notepad, and then type the following HTML content: <HTML>  Redirect Demo - Logoff Page</TITLE> </HEAD>  You have been logged out</H1> </BODY> </HTML> </li> <li>Save this file as Logoff.htm in the same folder as RedirectDemo.htm.</li> <li>Start Internet Explorer, and then load RedirectDemo.htm. The page displays the message &quot;You will be logged out after 10 seconds.&quot;

After ten seconds, the text &quot;You have been logged out&quot; appears. By looking in the Address bar, you can see that you have been redirected to Logoff.htm.</li></ol>

back to the top

Use the SetInterval Method to Log a User Off from a Web Application
If you require more control over the redirection of the user's browser, you can use the window.setInterval method in script. This causes a subroutine to be called at every instance of the interval.

Each time the user does something on the page, such as clicking an element, or moving the cursor, you can clear the old interval, and then create a new one. This effectively resets the interval to zero, to delay the interval. <ol> <li> Open a text editor, such as Notepad, and then type the following ASP content: <%@Language=VBScript%> <% ' Prevent non-authenticated access If Session(&quot;UserID&quot;) = &quot;&quot; Then Response.Redirect(&quot;Logoff.asp&quot;) ' Prevent page from being cached Response.Expires = -1 %> <HTML>  setInterval Demo</TITLE> <SCRIPT LANGUAGE=VBScript> Dim timer

Sub Init ' Set up the timer. Set it for 5 seconds timer = window.setInterval(&quot;Logout&quot;, 5000) End Sub

Sub Logout ' Take whatever action is required at this point MsgBox &quot;Logging out...&quot; window.location = &quot;Logoff.asp&quot; End Sub

Sub Delay ' Delay the logout clearInterval(timer) Init End Sub </SCRIPT> </HEAD> <BODY OnLoad=&quot;Init&quot; OnClick=&quot;Delay&quot; OnMouseMove=&quot;Delay&quot; OnKeyPress=&quot;Delay&quot;> This page is a test of automatic logout </BODY> </HTML> The OnClick, OnMouseMove, and OnKeyPress events of the  tag trap any user interaction on the whole page and delay the interval. The user is only logged off from the page if no activity occurs for five seconds. </li> <li>Save this file as SetIntervalDemo.asp in the default Web folder on your computer (which is typically C:\InetPub\wwwroot).</li> <li> The Session(&quot;UserID&quot;) variable must be created when the user is authenticated, and you must use the server-side ASP script at the top of the code sample in step 1 on every secure page to make sure that only authenticated users can view them.

For the purposes of this example, create a new file in Notepad, and then type the following ASP content: <%@Language=VBScript%> <% Session(&quot;UserID&quot;) = &quot;user&quot; Response.Redirect &quot;SetIntervalDemo.asp&quot; %> <HTML>  setInterval Demo - Establish Session</TITLE> </HEAD>  </BODY> </HTML> </li> <li>Save this file as StartSession.asp in the same Web folder as SetIntervalDemo.asp.</li> <li> Create a new file in Notepad, and then type the following ASP content for the logoff page: <%@Language=VBScript%> <% ' Flushes authentication information for the user and ends the session Session.Abandon %> <HTML>  setInterval Demo - Logoff Page</TITLE> </HEAD>  You have been logged out</H1> </BODY> </HTML> </li> <li>Save this file as Logoff.asp in the same Web folder as SetIntervalDemo.asp.</li></ol>

back to the top

Verification
In Internet Explorer, type localhost/StartSession.asp in the Address bar. You are immediately redirected to the SetIntervalDemo.asp page, and the text &quot;This page is a test of automatic logout&quot; appears. The Address bar now displays &quot;localhost/SetIntervalDemo.asp&quot;. As long as you move the cursor, click the mouse, or press any keys on your keyboard, nothing occurs. Five seconds after you stop doing anything, the browser redirects to Logoff.asp and the text &quot;You have been logged out&quot; appears. Notice that the Address bar now shows &quot;http://localhost/Logoff.asp&quot;.

back to the top

Keywords: kbhowto kbhowtomaster KB315584

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.