Re: Windows Authentication Timeout

• Previous message: Will Gillen: "Re: Windows Authentication Timeout"
• In reply to: Will Gillen: "Re: Windows Authentication Timeout"
• Next in thread: Jim Cheshire [MSFT]: "Re: Windows Authentication Timeout"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 10 Nov 2004 14:17:57 -0600

You might also be able to do something like set a cookie or session variable
when your timeout is reached and redirect to an error page whenever the user
has that flag. The page would just instruct them to close the browser.

The problem is that with Windows auth, the browser caches those credentials
and wants to send them if it has them, so you are trying to fight a client
behavior with a server solution.

Joe K.

"Will Gillen" <g_i_l_l_e_0_0_1_@_n_s_u_o_k_._e_d_u> wrote in message
news:O$2%23991xEHA.1564@TK2MSFTNGP09.phx.gbl...
> Forget it.
> I'll just rewrite it to use FormsAuthentication.
>
> -- Will G.
>
>
> "Jim Cheshire [MSFT]" <jamesche@online.microsoft.com> wrote in message
> news:FPSnQ80xEHA.768@cpmsftngxa10.phx.gbl...
>> Will,
>>
>> If you want to force the cached credentials in Internet Explorer to
> expire,
>> the best method is to use an ActiveX control that calls
>> InternetSetOption.
>> Here's an article:
>>
>> http://support.microsoft.com/default.aspx?scid=KB;EN-US;195192
>>
>> Jim Cheshire [MSFT]
>> MCP+I, MCSE, MCSD, MCDBA
>> ASP.NET Developer Support
>> jamesche@online.microsoft.com
>>
>> This post is provided "AS-IS" with no warranties and confers no rights.
>>
>>
>> --------------------
>> | From: "Will Gillen" <g_i_l_l_e_0_0_1_@_n_s_u_o_k_._e_d_u>
>> | References: <OO5##gzxEHA.1188@tk2msftngp13.phx.gbl>
>> <#X74PrzxEHA.3640@cpmsftngxa10.phx.gbl>
>> | Subject: Re: Windows Authentication Timeout
>> | Date: Wed, 10 Nov 2004 11:00:22 -0600
>> | Lines: 133
>> | X-Priority: 3
>> | X-MSMail-Priority: Normal
>> | X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
>> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
>> | Message-ID: <uvIhHb0xEHA.3096@TK2MSFTNGP14.phx.gbl>
>> | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
>> | NNTP-Posting-Host: 192.173.33.42
>> | Path:
>>
> cpmsftngxa10.phx.gbl!TK2MSFTNGXA06.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTNGP08
>> phx.gbl!TK2MSFTNGP14.phx.gbl
>> | Xref: cpmsftngxa10.phx.gbl
>> microsoft.public.dotnet.framework.aspnet.security:12227
>> | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
>> |
>> | Yes, I have looked at Forms Authentication, the problem is that I
>> wanted
>> to
>> | take advantage of Windows AD Groups and Permissions. I already have
>> the
>> | application written to that standard, and now I have to go back and add
> a
>> | whole bunch of logic to handle Forms based authentication, figure out
> what
>> | groups have permission to what resources and add that information to
>> the
>> | Web.Config file, and basically "unsecure" portions of my website by
>> allowing
>> | "anyonymous" access to the ASPX resources so that FormsAuthentication
> will
>> | work. All that, just so I can have an authentication timeout?
>> |
>> | I believe that the reason they are prompted twice on the first request
> is
>> | because IIS first prompts the client, then my VB code in .NET prompts
> the
>> | client (because it has no idea that the person was already prompted).
>> |
>> | To me, it seems that the primary problem (for me in this instance) is
> that
>> | either IIS or the browser is "caching" the credentials of the client,
> and
>> | those credentials are being "re-used" on subsequent requests to the
>> | resource.
>> |
>> | If only there were some way to programmatically configure how long
> either
>> | IIS or the browser can "cache" the credentials (if that is what is
>> | happening)......
>> |
>> | -- Will Gillen
>> |
>> |
>> |
>> | "Jim Cheshire [MSFT]" <jamesche@online.microsoft.com> wrote in message
>> | news:%23X74PrzxEHA.3640@cpmsftngxa10.phx.gbl...
>> | > Hi Will,
>> | >
>> | > Have you looked at Forms authentication? That might be a better
> choice
>> | for
>> | > you.
>> | >
>> | > You might be able to stop the second prompt by adding a Response.End
>> after
>> | > returning a 401. I'd have to trace it with Netmon to be sure why
> that's
>> | > happening.
>> | >
>> | > Jim Cheshire [MSFT]
>> | > MCP+I, MCSE, MCSD, MCDBA
>> | > ASP.NET Developer Support
>> | > jamesche@online.microsoft.com
>> | >
>> | > This post is provided "AS-IS" with no warranties and confers no
> rights.
>> | >
>> | >
>> | > --------------------
>> | > | From: "Will Gillen" <g_i_l_l_e_0_0_1_@_n_s_u_o_k_._e_d_u>
>> | > | Subject: Windows Authentication Timeout
>> | > | Date: Wed, 10 Nov 2004 09:16:27 -0600
>> | > | Lines: 51
>> | > | X-Priority: 3
>> | > | X-MSMail-Priority: Normal
>> | > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
>> | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
>> | > | Message-ID: <OO5##gzxEHA.1188@tk2msftngp13.phx.gbl>
>> | > | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
>> | > | NNTP-Posting-Host: 192.173.33.42
>> | > | Path:
>> | >
>> |
>>
> cpmsftngxa10.phx.gbl!TK2MSFTFEED02.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13
>> | > phx.gbl
>> | > | Xref: cpmsftngxa10.phx.gbl
>> | > microsoft.public.dotnet.framework.aspnet.security:12219
>> | > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
>> | > |
>> | > | I have been working on trying to enforce a "timeout" on Windows
>> | Integrated
>> | > | Authentication.
>> | > | Basically I want the aspx page to force the "authenticated" user to
>> | > re-enter
>> | > | their credentials if it has been longer than 3 minutes since their
>> last
>> | > page
>> | > | request.
>> | > |
>> | > | Another individual had suggested adding a value to the Session
> object,
>> | and
>> | > | setting the page timeout to 3 minutes.
>> | > | Then, if that value is not present in the Session Object, just
> return
>> a
>> | > | Response.StatusCode of "401" to force the browser to
>> "re-authenticate".
>> | > |
>> | > | I "kinda" got that working, but now the browser is asking for
>> | credentials
>> | > | Twice on the First page request. Then all subsequent requests
> (after
>> 3
>> | > | minutes) are only prompting once.
>> | > |
>> | > | Can anyone help me get this figured out. I'm pretty close, I just
>> need
>> | > help
>> | > | in keeping the First Request from prompting Twice for
>> credentials...
>> | > |
>> | > |
>> | > | This code is at the top of the Page_Load() method of the page I
>> want
>> to
>> | > | secure:
>> | > |
>> | > | 'Set the Session Timeout to 3 mins:
>> | > | Session.Timeout = 3
>> | > | 'See if the User.Identity object is already in the Session
>> | (means
>> | > it
>> | > | hasn't "timed-out"):
>> | > | If context.Session.Item("USEROBJ") Is Nothing Then
>> | > | 'If New session, then See if they have already been
>> prompted
>> | > for
>> | > | creds:
>> | > | If context.Session.Item("AUTH_PROMPT") = True Then
>> | > | If context.User.Identity.IsAuthenticated Then
>> | > | 'If they have already been prompted and passed
>> | > | authentication,
>> | > | 'Then add the User.Identity to the Session:
>> | > | context.Session.Add("USEROBJ",
>> | context.User.Identity)
>> | > | Else
>> | > | 'Otherwise, respond with "401" to prompt for
> Creds
>> | > | again:
>> | > | Response.StatusCode = 401
>> | > | End If
>> | > | Else
>> | > | 'Since this is a new Session, and they haven't been
>> | > prompted
>> | > | for creds (as far as I know),
>> | > | 'Then add the "AUTH_PROMPT" flag to the Session,
>> and
>> | > respond
>> | > | with "401":
>> | > | context.Session.Add("AUTH_PROMPT", True)
>> | > | Response.StatusCode = 401
>> | > | End If
>> | > | End If
>> | > |
>> | > |
>> | > |
>> | >
>> |
>> |
>> |
>>
>
>

• Previous message: Will Gillen: "Re: Windows Authentication Timeout"
• In reply to: Will Gillen: "Re: Windows Authentication Timeout"
• Next in thread: Jim Cheshire [MSFT]: "Re: Windows Authentication Timeout"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]