In SharePoint 2007 using Internet Explorer 8 andÂ "Sign in as a different user" displays with old Session data. After 30 seconds the session object is completly refreshed and all data is correct.
SharePoint 2007 does not clear the Session and Cookie object with "Sign in as a different user". SharePoint 2007 Session objects are not designedÂ as a security boundary.
ThereÂ are 3 different workaround available:NOTE: Due to the relatively complex nature of the workarounds, potential implications should be very carefully evaluated before proceeding.
: customize init.js file or overload the method of LoginAsAnother() with an addition line of code: document.execCommand("ClearAuthenticationCache");Â http://kbalertz.com/Feedback.aspx?kbNumber=970814/en-us
: change IIS authentication behavior to force the authentication for each incoming http request
Run the following:
cscript adsutil.vbs SET w3svc/<webappidentifier>/AuthPersistSingleRequest TRUE
example:Â Â Â cscript adsutil.vbs SET w3svc/1048141505/AuthPersistSingleRequest TRUEWorkaround 3
: create a custom httpmodule and deploy it over the farm (all webapplications)
Task of the custom http module: after calling sign-in as different user a custom http module implement EndRequest method of http module interface: Logic to implement: after calling "/_layouts/AccessDenied.aspx?loginasanotheruser=true" run httpcontext.Session.Clear();
Implementation: if after sending Response of "/_layouts/AccessDenied.aspx?loginasanotheruser=true" calling httpcontext.Session.Clear();
More details to implementing a custom httpmodule:http://kbalertz.com/Feedback.aspx?kbNumber=307996/en-us
for other considerations.
Article ID: 2435214 - Last Review: October 25, 2010 - Revision: 5.0
- Microsoft Office SharePoint Server 2007
- Microsoft Windows SharePoint Services 3.0
- Windows Internet Explorer 8