Windows Authentication Timeout

W

Will Gillen

I have an ASP.NET application that is using Windows Integrated
Authentication (IIS) (as opposed to Forms Authentication).

When the user first logs into the application, IIS prompts the user for
their credentials.
Once they are "authenticated", their credentials remain active while their
web browser is open.

Now, I want the "authentication" to "timeout" in 3 minutes. This way if
they browse to another page after 3 minutes, they are prompted to "re-enter"
their credentials again.

I know that in FormsAuthentication, you can "de-authenticate" someone by
calling "FormsAuthentication.SignOut();" in the Session_End Event in
Global.asax.

Is there anyting like that for Windows Integrated Authentication (IIS)?

(I had posted a similar question in:
microsoft.public.dotnet.framework.aspnet.security, but have not been able to
get a good response. Please excuse me for cross-posting this question, but
I really just need to know if it is even possible...)

Thanks.

-- Will G.
 
B

bruce barker

when you use integrated security, the credentials are requested for each
page. the browser just kindly tries the old login and password once to see
if it still works. to get the browser to reprompt just respond with a 401
error. you will have to remember that you sent the 401, or they will never
get in again.


-- bruce (sqlwork.com)




| I have an ASP.NET application that is using Windows Integrated
| Authentication (IIS) (as opposed to Forms Authentication).
|
| When the user first logs into the application, IIS prompts the user for
| their credentials.
| Once they are "authenticated", their credentials remain active while their
| web browser is open.
|
| Now, I want the "authentication" to "timeout" in 3 minutes. This way if
| they browse to another page after 3 minutes, they are prompted to
"re-enter"
| their credentials again.
|
| I know that in FormsAuthentication, you can "de-authenticate" someone by
| calling "FormsAuthentication.SignOut();" in the Session_End Event in
| Global.asax.
|
| Is there anyting like that for Windows Integrated Authentication (IIS)?
|
| (I had posted a similar question in:
| microsoft.public.dotnet.framework.aspnet.security, but have not been able
to
| get a good response. Please excuse me for cross-posting this question,
but
| I really just need to know if it is even possible...)
|
| Thanks.
|
| -- Will G.
|
|
 
W

Will Gillen

I think I understand the approach you suggested.
But, I must be doing something wrong, because now I get prompted twice
during the FIRST request.
Then after the timeout (3 minutes) it does re-prompt me (YES, that's exactly
what I was looking for).
So, what did I do wrong that causes it to prompt me twice during the First
request.

This code is at the top of the Page_Load() method of the page I want to
protect:

If context.Session.Item("USEROBJ") Is Nothing Then
If context.Session.Item("AUTH_PROMPT") = True Then
If context.User.Identity.IsAuthenticated Then
context.Session.Add("USEROBJ", context.User.Identity)
Else
Response.StatusCode = 401
End If
Else
context.Session.Add("AUTH_PROMPT", True)
Response.StatusCode = 401
End If
End If
 
G

Guest

Another way u could do this is to use Javascript to timeout at anytime they
u want..
If u are interested in JS let me know!
 
W

Will Gillen

I give up...
I'm just going to use FormsAuthentication and write a Login page that will
take the users Windows Domain Credentials and validate them against AD on
the backend. This way I can take advantage of being able to
programmatically control how long a User remains Authenticated. This seems
to be the only approach that will work. Apparently, Windows Authentication
doesn't have a Timeout value that can be set programmatically for ASPX
pages. "Once you're in, you're in" approach seems to be in place. I
understand that SSO (Single Sign-On) is the approach that Windows Integrated
Authentication was going for here, but it seems like programmers should be
able to override this in order to add additional security to certain parts
of their application.

If someone from Microsoft is listening, and can shed some light on this,
please stop me now, and clue me in on the secret...

Thanks.

-- Will Gillen
 
W

Will Gillen

Can you provide an example of what you are referring...
You have my attention, I'm willing to explore anything that could keep me
from rewritting half of my code just to accomodate a simple timeout...

Thank you...

-- Will G.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

web.config and Anonymous Authentication problems ??? 0
Context.User.Identity.Name 2
Windows Authentication 4
Forms Authentication for single directory 1
Forms Authentication - how to read timeout? 1
Custom Authentication 1
security works for VPN users, doesnt for local 3
Windows Authentication in ASP.NET 2.0 1

Top