Setting timeout for basic authentication

  • Thread starter Thread starter Joseph
  • Start date Start date
J

Joseph

I have an intranet application that I setup using windows
authentication through IIS basic authentication. Is there
a way to set a timeout, so that after ten minutes the user
will be prompted again to enter their login ID and
password? I have not been able to find anything on
microsoft or google. Other than this, the only way a user
will be prompted again is if they are forced to open a new
browser window for getting to the web page. Thanks
 
Joseph,

I don't know if there is a way to do this. It's more a matter of the
browser storing the credentials, and then sending them with each request.
There ^might^ be a header that you can use to cancel this behavior, but I
wouldn't think one exists.

To be sure, I would look somewhere in the HTTP specification for a
header that might change this, other than that, my guess is that there is
little you can do.

Hope this helps.
 
Thanks for the response.

Nicholas Paldino said:
Joseph,

I don't know if there is a way to do this. It's more a matter of the
browser storing the credentials, and then sending them with each request.
There ^might^ be a header that you can use to cancel this behavior, but I
wouldn't think one exists.

To be sure, I would look somewhere in the HTTP specification for a
header that might change this, other than that, my guess is that there is
little you can do.

Hope this helps.


--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)

Joseph said:
I have an intranet application that I setup using windows
authentication through IIS basic authentication. Is there
a way to set a timeout, so that after ten minutes the user
will be prompted again to enter their login ID and
password? I have not been able to find anything on
microsoft or google. Other than this, the only way a user
will be prompted again is if they are forced to open a new
browser window for getting to the web page. Thanks
Click to expand...
Click to expand...
 
This is what I found by searching through the host header and such
documentation on w3

15.6 Authentication Credentials and Idle Clients
Existing HTTP clients and user agents typically retain authentication
information indefinitely. HTTP/1.1. does not provide a method for a server to
direct clients to discard these cached credentials. This is a significant
defect that requires further extensions to HTTP. Circumstances under which
credential caching can interfere with the application's security model
include but are not limited to:

- Clients which have been idle for an extended period following
which the server might wish to cause the client to reprompt the
user for credentials.
- Applications which include a session termination indication
(such as a `logout' or `commit' button on a page) after which
the server side of the application `knows' that there is no
further reason for the client to retain the credentials.
This is currently under separate study. There are a number of work- arounds
to parts of this problem, and we encourage the use of password protection in
screen savers, idle time-outs, and other methods which mitigate the security
problems inherent in this problem. In particular, user agents which cache
credentials are encouraged to provide a readily accessible mechanism for
discarding cached credentials under user control.

http://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html#sec15.6

Nicholas Paldino said:
Joseph,

I don't know if there is a way to do this. It's more a matter of the
browser storing the credentials, and then sending them with each request.
There ^might^ be a header that you can use to cancel this behavior, but I
wouldn't think one exists.

To be sure, I would look somewhere in the HTTP specification for a
header that might change this, other than that, my guess is that there is
little you can do.

Hope this helps.


--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)

Joseph said:
I have an intranet application that I setup using windows
authentication through IIS basic authentication. Is there
a way to set a timeout, so that after ten minutes the user
will be prompted again to enter their login ID and
password? I have not been able to find anything on
microsoft or google. Other than this, the only way a user
will be prompted again is if they are forced to open a new
browser window for getting to the web page. Thanks
Click to expand...
Click to expand...
 
Hi Joseph

This is untested, but worth a go.

With Basic authentication, two headers are important - when a protected
resource is initially requested, there is a www-authenticate header sent from
the server to the client, one for each authentication type, in order of
preference in a 403 access denied HTTP response. The client, once it has
identified a suitable authentication mechanism, resubmits the HTTP request
with an authorization header containing the credentials: in the case of Basic
authentication it's just Base64 encoded username:password. The authorization
header never times out - hence the problem that you are seeing...

I think (but I'm not sure!) that if you were to write a cookie from the
server to the client with the last access time, then check that cookie when
the request comes back to see if your timeout period has elapsed, then you
can send an HTTP 403 response together with the www-authenticate headers
again, this will force the browser to redisplay a login dialog.

It may work!! But you've some work to do.

Nigel Armstrong
 
Back
Top