Behavior of the “Logoff URL” option

  • Article

 

Symptoms:

You’ve published an internal Web resource. Your users can successfully authenticate and access the site. However, they may discover that selecting any link from a particular page in the site inadvertently sends them back to the initial UAG login form. If they provide their credentials again, the select page loads correctly. If they navigate back to the page in question and again select any link on the page, they are again sent back to the UAG login form.

 

Potential Cause:

UAG has detected a request that contains your custom “Logoff URL” and has terminated the session and is now un-authenticated. Any continued access to the site will need to be authenticated again.

 

More information:

In the Trunk configuration properties page, under the Authentication tab, you’ll find the “Logoff URL” setting. The default Logoff URL is “/InternalSite/LogoffMsg.asp”. If UAG detects a client request that contains this URL, UAG will terminate the clients’ session.

This setting is configurable and you can specify a custom value to be used as the logoff mechanism. For instance, if your published web application has its own logoff option, you can specify your applications’ logoff URL to terminate the session. For example, your applications’ logoff may be something like “logoff.jsp”. So you might enter “logoff.jsp” as the “Logoff URL” option.  With this value in place, the expectation is that the session will not be terminated until the client makes a request for “logoff.jsp” (or the session times out").

This still doesn’t explain why your users are inexplicably required to re-authenticate when selecting various links in the page. After all, they’re not selecting the applications’ logoff option.  In fact, you may have trouble-shot the issue using a web capture tool such as HTTPWatch or Fiddler…and you have verified that the client does not send a request for “logoff.jsp”, yet you can see that the session has ended and user is required to re-authenticate.

The root of the problem lies in the fact that UAG treats the “Logoff URL” value as a string. Therefore, any client request that contains this “string” will terminate the session. Even if the value you specify for “Logoff URL” is a substring contained in a client request, the session will be terminated.

For example:

The “Logoff URL” value entered is “logoff.jsp”. Logoff.jsp resides in the following location on the server:

/folderA/logoff.jsp

The client sends a request for the following:

/folderB/ignorelogoff.jsp

UAG detects the string “logoff.jsp” in the request for “/folder/ignorelogoff.jsp” and terminates the session.

 

Resolution:

Make sure your custom “Logoff URL” value is not a sub-string of any other client request. For example, using the above scenario, you could specify “/logoff.jsp” (i.e. add a forward slash) as your “Logoff URL”.

 

Author

Richard Barker - Sr Security Support Escalation Engineer, Microsoft CSS Forefront Security Edge Team