Logoff
When a user is logged in to your storefront, you must provide a way for them to safely log off. The Logoff endpoint is a simple HTTP page that signs the user out, clears their authentication cookie, and then redirects them based on query or form parameters: /Admin/Public/ExtranetLogoff.aspx
This endpoint triggers the sign-out pipeline in the server middleware - it supports the following parameters:
| Parameter | Type | Description |
|---|---|---|
redirect |
string | Specifies where to send the user after logoff. Provide an absolute URL (e.g., /Home). If omitted, the referrer logic (Referer header) applies. |
cancelredirect |
boolean | If true, disables any automatic redirect and returns a 200 OK with no redirection. Useful for AJAX flows. |
Please note that ?redirect=false is supported as a legacy feature; setting redirect=false is equivalent to cancelredirect=true
Tip
Both parameters can be sent via query string or POST form fields.
Implementation methods
1. Link with no parameters
A basic logoff link without any query or form parameters relies on the default redirect logic:
<a href="/Admin/Public/ExtranetLogoff.aspx">Log off</a>
When clicked, the server signs the user out and then:
- Attempts to redirect to the referring page (from the
Refererheader) if present. - If no valid referrer is found, falls back to
/(the storefront front page).
Note:
- If the referrer requires authentication (e.g.
/my-account), the user will be sent back to that URL, but since they are now signed out, the normal login middleware will immediately redirect them to the login page. - If the referrer does not require authentication (e.g.
/products), the user lands on that page after sign‑out.
2. Simple link with redirect parameter
Add a redirect query value to explicitly control where to send the user:
<a href="/Admin/Public/ExtranetLogoff.aspx?redirect=/">Log off</a>
This bypasses the referrer logic and always issues an HTTP 302 to /.
3. Asynchronous JavaScript
For an AJAX‑style flow, disable automatic redirects on the server and handle navigation client‑side:
<button id="btnLogoff">Log off</button>
<script>
document.getElementById('btnLogoff').addEventListener('click', async () => {
// Call logoff without redirect
const response = await fetch('/Admin/Public/ExtranetLogoff.aspx?cancelredirect=true', {
method: 'GET',
credentials: 'include'
});
if (response.ok) {
// Option 1: reload current page
window.location.reload();
// Option 2: navigate elsewhere
// window.location.href = '/Goodbye';
} else {
console.error('Logoff failed', response.status);
}
});
</script>
This approach gives you full control of the user experience after sign‑out.
Middleware behavior
When the logoff endpoint is called, the user’s authentication session is terminated by clearing their cookie. After signing out, the endpoint decides how to proceed:
cancelredirect: If the request includes thecancelredirectparameter (e.g.?cancelredirect=true), it returns a simple success with no redirect.redirect: If aredirectparameter is provided (e.g.?redirect=/MyPage), the user is sent there.- Referer header: Otherwise, if the browser’s
Refererheader is present, the user is returned to that page. - Default: If none of those conditions apply, the user is redirected to the storefront home page (
/).
Throughout this process, the server adds an X-DWAPP-MSG-LOGONHANDLER header to indicate which path was taken, aiding in troubleshooting.
Technical details
Cookie reset
The logoff endpoint /Admin/Public/ExtranetLogoff.aspx clears the user’s session by issuing a Set-Cookie header with an expired Dynamicweb.Extranet cookie. This issues a Set-Cookie header with an expired Extranet cookie, instructing the browser to remove it.
Response headers
Depending on which redirect branch succeeds, the server includes an X-DWAPP-MSG-LOGONHANDLER header in the response of the logoff endpoint (/Admin/Public/ExtranetLogoff.aspx). Because the endpoint immediately issues a redirect, you must open your browser’s developer tools, go to the Network panel, and inspect the logoff request itself to see this header (it will not appear on the destination page after the redirect).
The header value will be one of:
TryRedirectToRedirectUrlTryRedirectToReferrerTryRedirect failed with value: {value}- (no header if
cancelredirect=true)
Execution flow order
LogOff()
└─ SignOutAsync()
└─ Redirect()
├─ IsRedirectCancelled?
├─ TryRedirectToRedirectUrl?
├─ TryRedirectToReferrer?
└─ Redirect to "/"