Automatically logging into and out of FBA SharePoint site

Question

We've got a WSS 3.0 site that is using Forms Based Authentication (FBA). We want to set the site up so that certain users can be logged in automatically, rather then getting the login screen, and I'm not sure of the best way to do this.

Actually, based on this article, I've already created an HTTP Module that handles the logging in. More specifically, I've created an alternate login page, and when that page is hit it logs in as the desired user. But, it keeps the user logged in after I close the browser down. That is, I start up the browser, go to the alternate login page, my HTTP Module code gets triggered and logs in as the desired user, then I close the browser down. When I then try to go to the site, the standard login page of the site is skipped over because I'm still logged into the site as the earlier user.

I guess my question comes down to how can I make sure I log off? Is there a way to do this with HTTP Modules/Handlers, or do I want to do something in global.asax?

Answer 1

Silly me. I had the cookie parameter of my FormsAuthentication.RedirectFromLoginPage command set to True. That means the authentication cookie will be persisted for 50 years. What I wanted was to have the cookie to go away when the browser was closed. That's easily done if the cookie parameter is set to False. Here's my code if anyone is interested...

Imports System.Web
Imports System.Web.Security
Imports System.Collections.Specialized
Imports System.Security.Principal
Imports System.Threading
Imports System.Web.UI

Public Class AuthModule
    Implements IHttpModule

    Public Sub Dispose() Implements System.Web.IHttpModule.Dispose
    End Sub

    Public Sub Init(ByVal app As System.Web.HttpApplication) Implements System.Web.IHttpModule.Init
        AddHandler app.PreRequestHandlerExecute, New EventHandler(AddressOf OnPreRequestHandlerExecute)
    End Sub

    Public Sub OnPreRequestHandlerExecute(ByVal sender As Object, _
                                            ByVal e As EventArgs)

        ' Check to see if the alternate page has been accessed
        If HttpContext.Current.Request.Url.ToString.ToUpper.EndsWith("AUTOLOGIN.ASPX") Then
            ' Alternate page has been accessed, so log in using predetermined account

            ' Retrieve the user name and password
            Dim userName As String = "user"
            Dim userPassword As String = "password"

            ' Build the user id
            Dim roles As String() = Nothing
            Dim webIdentity As New GenericIdentity(userName, "Form")
            Dim principal As New GenericPrincipal(webIdentity, roles)

            ' Specify the user
            HttpContext.Current.User = principal
            Thread.CurrentPrincipal = principal

            ' Redirect from the login page to the start page
' Note, this is the line I initially had incorrect.  That is, I had the
' second parameter set to True, which will persist the authentication cookie.
' Setting the second parameter to False will cause the authentication cookie
' to go away when the browser is closed.  Yeah!
            FormsAuthentication.RedirectFromLoginPage(HttpContext.Current.User.Identity.Name.ToString, False)
        End If

    End Sub

End Class