'Login as another user' MVC 4 Windows Authentication

asp.net-mvc http windows-authentication logout http-status-code-401
Darbio picture Darbio · Jul 26, 2013 · Viewed 13.3k times · Source

I have an intranet project written in MVC 4 which uses Windows Authentication to authorise and authenticate users.

I need to add a 'Login as another user' functionality.

After some searching I found this solution which suggests returning a 401, and created the following Action (which is called using a form):

    // 
    // POST: /Home/LogOut

    [HttpPost]
    [ValidateAntiForgeryToken]
    public ActionResult LogOut()
    {
        return new HttpUnauthorizedResult();
    }

The Action gets called, and the browser pops up a username and password window, however as the result redirects back to the Action, a 401 is always returned.

How do I redirect the user back to the previous action, once they have logged in with the new credentials?

Is there a way to invalidate the credentials on the server side instead of just returning a 401?

Answer

Leniel Maccaferri picture Leniel Maccaferri · Sep 4, 2014

People reverse engineered\decompiled some code from Sharepoint that happens to have this feature.

I tested it in an ASP.NET MVC 5 app and it's working as expected.

The code is based on decompiling the Microsoft.TeamFoundation.WebAccess which has the "Sign in as a different User" function.

public ActionResult LogOut()
{
    HttpCookie cookie = Request.Cookies["TSWA-Last-User"];

    if(User.Identity.IsAuthenticated == false || cookie == null || StringComparer.OrdinalIgnoreCase.Equals(User.Identity.Name, cookie.Value))
    {
        string name = string.Empty;

        if(Request.IsAuthenticated)
        {
            name = User.Identity.Name;
        }

        cookie = new HttpCookie("TSWA-Last-User", name);
        Response.Cookies.Set(cookie);

        Response.AppendHeader("Connection", "close");
        Response.StatusCode = 401; // Unauthorized;
        Response.Clear();
        //should probably do a redirect here to the unauthorized/failed login page
        //if you know how to do this, please tap it on the comments below
        Response.Write("Unauthorized. Reload the page to try again...");
        Response.End();

        return RedirectToAction("Index");
    }

    cookie = new HttpCookie("TSWA-Last-User", string.Empty)
    {
        Expires = DateTime.Now.AddYears(-5)
    };

    Response.Cookies.Set(cookie);

    return RedirectToAction("Index");

}

Source:

Force Sign in as a different user while using Windows Authentication in asp.net

Related questions

Server cannot set status after HTTP headers have been sent IIS7.5

Sometimes I get exception in my production environment: Process information Process ID: 3832 Process name: w3wp.exe Account name: NT AUTHORITY\NETWORK SERVICE Exception information Exception type: System.Web.HttpException Exception message: Server cannot set status after HTTP headers have …

Read More
throwing/returning a 404 actionresult or exception in Asp.net MVC and letting IIS handle it

how do I throw a 404 or FileNotFound exception/result from my action and let IIS use my customErrors config section to show the 404 page? I've defined my customErrors like so <customErrors mode="On" defaultRedirect="/trouble"> <error statusCode="404" …

Read More
Send POST request to asp.net mvc action via Fiddler

I have an ASP.NET MVC web site. One of my routes is a URL that takes 5 parameters. For the sake of illustration, these parameters are named parameter1, parameter2, parameter3, parameter4, and parameter5. Currently, I'm constructing a URL in some …

Read More