How To Clear Logon Credentials to Force Reauthentication (195192)


The information in this article applies to:

  • Microsoft Visual InterDev 6.0
  • Microsoft Visual Basic Learning Edition for Windows 6.0
  • Microsoft Visual Basic Professional Edition for Windows 6.0
  • Microsoft Visual Basic Enterprise Edition for Windows 6.0
This article was previously published under Q195192

SUMMARY

This article demonstrates how to use an ActiveX Control written in Visual Basic 6.0 to flush the credentials of an authenticated Web user. This technique applies to Web sites that use Basic authentication and Internet Explorer 4.x.

MORE INFORMATION

Creating the ActiveX Control

  1. Open a new ActiveX Control in Visual Basic.
  2. Name the project "browser," and name the user control "logoff."
  3. Double-click the user control, and paste the following code into the General Declarations area:
          Const INTERNET_OPTION_END_BROWSER_SESSION = 42
					
          Private Declare Function InternetSetOption Lib "wininet.dll" Alias
      "InternetSetOptionA" _
      (ByVal hInternet As Long, ByVal lOption As Long, ByRef sBuffer As
      Any, ByVal lBufferLength As Long) As Integer

      Public Function flushCredentials() As Integer
         Dim h As Integer
         h = InternetSetOption(0, INTERNET_OPTION_END_BROWSER_SESSION,
                               0, 0)
         flushCredentials = h
      End Function
  4. Save your project.
  5. Make the .ocx file. You now have an ActiveX Control that has a public function and will clear the credentials that were used to obtain access to a site when it is called.
  6. Prepare the ActiveX Control for Internet distribution. To package the ActiveX Control for distribution over the Internet, you need to use the Packaging and Deployment add-in in Visual Basic 6.0 to make a CAB file.

Creating a Web Site to Test the ActiveX Control

  1. Create a folder under your Web root, which is typically C:\Inetpub\Wwwroot.
  2. Using either the Microsoft Management Console or Internet Services Manager, set the security method to allow only Basic Authentication.
  3. Create a Web page named Test1.htm that is located in the folder created in step 1 using the following code:
          <HTML>
      <BODY>
      <SCRIPT language=javascript>
      <!--
         var obj1 = new ActiveXObject("browser.logoff")
      //-->
      </SCRIPT>
      <br>
      <INPUT type="button" value="Click to Logoff" id=button1 name=button1>
      <SCRIPT for=button1 event=onclick LANGUAGE=javascript>
      <!--
         var x = obj1.flushCredentials();
         window.navigate("test1.htm");
      //-->
      </SCRIPT>
      </BODY>
      </HTML>
  4. Open Internet Explorer on the computer where you created the ActiveX Control, and go to the sample page (Test1.htm). The test is successful if:
    • You were presented with a log on dialog box after you requested the page.
    • After you click Click to Logoff, you are presented with an authentication dialog box that does not contain the username or password from the previously authenticated user.

Making the ActiveX Control Available to Everyone Who Requests the Page

  1. Replace the script containing the "new ActiveXObject" with an HTML <OBJECT> tag containing an ID tag set equal to obj1. The <OBJECT> tag should include the clsid of the Browser.ocx and a codebase with the URL to the Browser.ocx file.
  2. In Visual Basic 6.0, open the Browser.ocx project, and then click Debug. Visual Basic opens a Web page that is hosting the ActiveX Control. View the source of the Web page. Now you have 90 percent of the <object> tag required to create the object. To finish the <OBJECT> tag, add a codebase=, and supply a URL to the location where you intend to put the ActiveX Control to distribute the ActiveX Control.
  3. In Visual InterDev 6.0, open the Web project created in step 1 of the previous section, "Creating the Sample Web Site." Right-click on the toolbar, and select customize toolbox. On the ActiveX Control tab, select the Browser.logoff check box. You should see an ActiveX Control in the ActiveX toolbar named "logoff." Click on the logoff control, and drag it onto your page, Test1.htm. If you view the run-time text, you should see the <OBJECT> tag. Add an ID property to Test1.htm with a value of obj1, and add a codebase property to it to supply the object with a URL to download the control from. The <OBJECT> tag should look something like the following: 
          <OBJECT classid="clsid:7890D0A4-62F1-11D2-8D55-00C04FB9D8A6" id=obj1
      codebase="http://path/browser.cab" style="LEFT: 0px; TOP: 0px"
      VIEWASTEXT>
      <PARAM NAME="_ExtentX" VALUE="11404">
      <PARAM NAME="_ExtentY" VALUE="8731"></OBJECT>
To test this code, go to a different computer with Internet Explorer installed, and request the sample page, Test1.htm.

Troubleshooting

When you see an error message stating that the object does not support this method or property, this typically occurs because the object was not marked as safe for scripting. To solve this problem, manually configure the security on Internet Explorer to prompt for Initialize and Script ActiveX controls not marked as Safe. The better way to handle this would be to include code in the sample that marks the control as safe for scripting. For additional information, please see the following article in the Microsoft Knowledge Base:

182598 How To Implement IObjectSafety in Visual Basic Controls

NOTE: You might be prompted to restart your computer after the first time the control in downloaded.
Modification Type:MinorLast Reviewed:7/8/2005
Keywords:kbhowto kbSecurity KB195192
©2004 Microsoft Corporation. All rights reserved.