Secure Logoff from Published Web Sites

Microsoft® Internet Security and Acceleration (ISA) Server 2006 enables secure application publishing. Internal applications, such as Microsoft Exchange Server and Microsoft SharePoint® Portal Server, can be published securely over the Internet. By publishing applications over the Internet using Hypertext Transfer Protocol (HTTP) or Secure HTTP (HTTPS), you enable easier, secure access to corporate resources.

When a user logs on to an application that is published through ISA Server, ISA Server manages the authentication process, receiving the client credentials, validating them with the authentication provider, and then delegating authentication to the published server. ISA Server uses an authentication cookie as part of the authentication process. This document describes how to ensure that when using HTML form authentication, the logoff process takes place securely, so that the authentication cookie cannot be used by an unauthorized user.

When a user logs on to an application published through ISA Server, ISA Server issues a cookie identifying the user. On subsequent user requests, the system first checks the cookie to see if the user was already authenticated, so that the user does not have to supply credentials again.

When you select HTML form authentication, which you configure on the Web listener, you can configure whether the authentication cookies will be persistent or non-persistent. Non-persistent cookies are removed from the client computer when all of the browser windows are closed (ending the browser process) or when the user logs off the computer. Persistent cookies remain on the computer after the browser window has been closed, and are only removed when the user logs off the computer. You can also configure a maximum idle time, so that if a user abandons a computer and leaves the browser open and inactive, the cookie will automatically expire.

If you select to use persistent cookies, you can specify whether they are used on public computers or private computers. Note that when logging on, the user indicates whether logging on from a public or private computer.

Leaving a cookie in place after the user ends the session creates a risk, because the next user on the client computer could make use of the cookie to access corporate resources. This is particularly true in the case of a public computer, such as an airport Internet kiosk. For this reason, we recommend that you enable persistent cookies on private computers only.

As an additional measure to avoid security issues associated with cookies, we recommend that you create a logoff process that removes the cookies, and train corporate users to log off each time they leave a public computer. The logoff process should be triggered by clicking a link or button on the corporate Web page.

Note the following:

  • When you use HTML form authentication, and the user explicitly logs off using the secure logoff approach described in this document, ISA Server notes that the cookie has been revoked. This ensures that even if a cookie was illicitly obtained, it cannot be used to gain access to the Web site, even if the encryption key used with the cookie has expired. When you use RSA SecurID authentication, the cookie is not revoked, but the logon session stored in the cookie is closed.
  • When HTML form authentication is used with RPC over HTTP or ActiveSync®, you cannot create a logoff link. The cookie will automatically expire after a period of time you configure in the Advanced Form Options dialog box of the Web listener.
  • When forms of authentication other than HTML form authentication are used, closing the browser windows is the best means of ensuring that the logoff takes place securely.

ISA Server can be configured to recognize a logoff URL when a user logs off from an application. When ISA Server receives the logoff URL in a user request, it logs off the user, removes the authentication cookie from the user computer, and for HTML form authentication, notes that the cookie has been revoked.


ISA Server then presents the logoff page to the user, indicating that the logoff has taken place successfully.

To make use of this feature, you must do the following:

  • Configure a logoff URL for the applicable publishing rules in ISA Server.
  • Create a logoff link on the application's Web page that sends a request including the logoff URL to the published URL on ISA Server.

Configuring a Logoff URL

Use the following procedure to configure the logoff URL.

To configure the logoff URL for the publishing rule
  1. In ISA Server Management, click the Firewall Policy node.

  2. In the details pane, double click the publishing rule to open its properties.

  3. On the Application Settings tab, in the Published server logoff URL field, type the string that will be used to indicate a logoff request. For example, ?Cmd=logoff, or logoff=1.


Creating a Logoff Link

When the user clicks the logoff link, it has to trigger a request directed at the published server through ISA Server. The link must include the logoff URL. For example, if you are publishing, and the logoff URL is ?CMD=logoff, the link should send the request

This following sample HTML code creates a logoff link.

<p> <font size=+1>When you are ready to exit this portal, click this link:</p>

<p> <a href=" ">Log off</a></font> </p>