Re: revoke Windows authentication credentials for a session

• Previous message: Joseph MCAD: "RE: User's Privileges"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 31 Mar 2005 14:21:47 -0500

The user credentials are being cached by the client browser, not by IIS. To
force the client user to enter credentials again, you would need to send an
appropriate 401 status message in response to the next client request.
However, doing this would run counter to very legitimate user expectations
of how Windows authentication is supposed to work, so you may want to
reconsider. When Windows user credentials have already been accepted by a
server (either via a login dialog or automatic submission under IE
configuration for the target site or zone), a 401 is only expected if a
requested resource cannot be accessed under the previously supplied
credentials. When you send a 401 after any credentials have been previously
accepted, the user should expect that they need to use different credentials
from their initial login. If you're expecting the same credentials, then
user confusion should be anticipated.

All in all, if you really want to force a new login, perhaps a different
authentication mode might be more appropriate...

"strutt" <strutt@discussions.microsoft.com> wrote in message
news:1F5E4E45-B775-46BD-847B-5542B0348583@microsoft.com...
>I am writing a web app that uses windows authentication. I have a logout
> button in the app that abandons session and returns the user to the main
> page
> of the application. I would like to force the user to provide their
> windows
> credentials again if they choose to reenter the application.
>
> Is there a way to invalidate the security principal that IIS has
> established
> from within the application?
>
> Thanks,
> Dave

• Previous message: Joseph MCAD: "RE: User's Privileges"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]