IE not asking basic authentication credentials for a protected resource in body

0
votes

In my web app I have basic authentication, and login and logout are working successfully in all pages, except in a specific public page where I'm requesting in body a resource (an image) protected by authorization.
If I call this page after logout, in the request for this image I get an unauthorized error (401) with browsers Firefox, Chrome, IE11. The difference is that while Firefox and Chrome show me the realm popup asking credentials, IE doesn't ask me anything.
Not asking for credentials means that credentials remain saved in browser; in my application I set a flag for sent asking credentials; sequentially I can call a protected page without insert of credentials.

So I chose to clear basic authentication credentials, but I don't like this solution:

document.execCommand("ClearAuthenticationCache");

Is there a way to force IE to asking credentials also for a resource in body?

1
javascriptinternet-explorerbrowserinternet-explorer-11basic-authentication

1 Answers

0
votes

There's a post discussing different options to clear IE's credential cache. And there's an article about configuring IE to prompt for credentials. I summarize three ways:

  • Programmatically send a 401 HTTP status to the client (e.g. Response.Status = 401).
  • Redirect a user to http://fakeuser:[email protected]. Since fakeuser/wrongpassword isn't a valid Windows account, the user will be prompted to enter valid credentials.
  • In the Security tab of Internet Options (IE -> Tools/Gear Icon -> Internet Options), select the appropriate zone for your set and go to the Custom level. Scroll all the way down to User Authentication and select the button beside Prompt for user name and password.

There's also an article about how IE will resend credentials and an article about Internet Explorer prompt for a password, you can also refer to them for further information.