Article ID: 2435214 - View products that this article applies to.
In SharePoint 2007 using Internet Explorer 8 and "Sign in as a different user" displays with old Session data. After 30 seconds the session object is completly refreshed and all data is correct.
SharePoint 2007 does not clear the Session and Cookie object with "Sign in as a different user". SharePoint 2007 Session objects are not designed as a security boundary.
There are 3 different workaround available:
NOTE: Due to the relatively complex nature of the workarounds, potential implications should be very carefully evaluated before proceeding.
Workaround 1: customize init.js file or overload the method of LoginAsAnother() with an addition line of code: document.execCommand("ClearAuthenticationCache");
Workaround 2: change IIS authentication behavior to force the authentication for each incoming http request
Run the following:
cscript adsutil.vbs SET w3svc/<webappidentifier>/AuthPersistSingleRequest TRUE
example: cscript adsutil.vbs SET w3svc/1048141505/AuthPersistSingleRequest TRUE
Workaround 3: create a custom httpmodule and deploy it over the farm (all webapplications)
Task of the custom http module: after calling sign-in as different user a custom http module implement EndRequest method of http module interface: Logic to implement: after calling "/_layouts/AccessDenied.aspx?loginasanotheruser=true" run httpcontext.Session.Clear();
Implementation: if after sending Response of "/_layouts/AccessDenied.aspx?loginasanotheruser=true" calling httpcontext.Session.Clear();
More details to implementing a custom httpmodule:
(http://go.microsoft.com/fwlink/?LinkId=151500)for other considerations.