Windows Authentication Timeout

From: Will Gillen (g_i_l_l_e_0_0_1__at__n_s_u_o_k_._e_d_u)
Date: 11/10/04 

Date: Wed, 10 Nov 2004 09:16:27 -0600

I have been working on trying to enforce a "timeout" on Windows Integrated
Authentication.
Basically I want the aspx page to force the "authenticated" user to re-enter
their credentials if it has been longer than 3 minutes since their last page
request.

Another individual had suggested adding a value to the Session object, and
setting the page timeout to 3 minutes.
Then, if that value is not present in the Session Object, just return a
Response.StatusCode of "401" to force the browser to "re-authenticate".

I "kinda" got that working, but now the browser is asking for credentials
Twice on the First page request. Then all subsequent requests (after 3
minutes) are only prompting once.

Can anyone help me get this figured out. I'm pretty close, I just need help
in keeping the First Request from prompting Twice for credentials...

This code is at the top of the Page_Load() method of the page I want to
secure:

        'Set the Session Timeout to 3 mins:
        Session.Timeout = 3
        'See if the User.Identity object is already in the Session (means it
hasn't "timed-out"):
        If context.Session.Item("USEROBJ") Is Nothing Then
            'If New session, then See if they have already been prompted for
creds:
            If context.Session.Item("AUTH_PROMPT") = True Then
                If context.User.Identity.IsAuthenticated Then
                    'If they have already been prompted and passed
authentication,
                    'Then add the User.Identity to the Session:
                    context.Session.Add("USEROBJ", context.User.Identity)
                Else
                    'Otherwise, respond with "401" to prompt for Creds
again:
                    Response.StatusCode = 401
                End If
            Else
                'Since this is a new Session, and they haven't been prompted
for creds (as far as I know),
                'Then add the "AUTH_PROMPT" flag to the Session, and respond
with "401":
                context.Session.Add("AUTH_PROMPT", True)
                Response.StatusCode = 401
            End If
        End If

Relevant Pages

  • Re: BASIC authentication Issues with IE - Part II - Solved but WHY?
    ... it does not know the difference between a request from IE or from ... some other HTTP client. ... Some other authentication schemes are more ... IIS can sometimes remember the token for a particular set of credentials so ...
    (microsoft.public.inetserver.iis.security)
  • Re: Authentification - Server Variables ( omg! )
    ... | an anonymous request to the remote web site first, ... there is no authentication info in the request/response ... | credentials against AD through ActiveDirectory membership provider... ... | Microsoft MSDN Online Support Lead ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Securing static files
    ... It's not the session - it's the authentication timeout - you can set the timeout in the element in web.config. ... they are kicked back to the login page. ... The user may log in with other credentials. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Authentification - Server Variables ( omg! )
    ... an anonymous request to the remote web site first, ... and as for those Server Variable (related to authentication info), ... credentials against AD through ActiveDirectory membership provider... ... Microsoft MSDN Online Support Lead ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Windows Authentication Timeout
    ... The problem is that with Windows auth, the browser caches those credentials ... >> | Yes, I have looked at Forms Authentication, the problem is that I ... just so I can have an authentication timeout? ... >> | I believe that the reason they are prompted twice on the first request ...
    (microsoft.public.dotnet.framework.aspnet.security)