Re: Force Relogin. IIS6, ASP.NET app, IE6+ browser

Actually, what you want to do is impossible with your current
constraints. You will have to write a custom authentication protocol to
get the behavior you want.

And let's just leave your hypothesis alone - there are no
cookies/tokens involved; IIS has no idea what a session is; IIS does
not prompt with a login dialog.

The problem you face is that a browser will automatically attempt
Integrated Authentication using the currently logged in Windows user
credentials to login to a website which is in a Zone configured for
auto login. And the server cannot do anything about it because logins
(and auto-login) is a client-side optimization.

If you can control the browsers to not auto-login to your website, and
you can make your Web Application CLOSE the connection to logoff, then
you can get the behavior you want with Integrated Authentication
(NTLM). Integrated Authentication (Kerberos) is something different.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//


Otis wrote:
I continue to research this and have hypothesized that what I'd really like
to happen is to have IIS issue a NEW session id to the client once
Session.Abandon is specified in my ASP.NET application. What appears to
happen by default is that the Session ID remains the same after the abandon,
but on the next connection IsNewSession is true. My hope is that when IIS
sees a different SessionID it will again prompt for the user with a windows
login dialog. Anyone got any feedback on this "guess"?

Again,
Otis

--
Thanks,
Otis


"Otis" wrote:

I'm trying to determine if it is possible to programmatically force an
already authenticated user (Using Integrated Windows Authentication) to login
again for my web site. I want them to be able to "logoff" for security
reasons and not have to close their browser. That way if someone sits at
their workstation and tries to link again to the site in question it will
prompt with the windows dialog again. Currently, if I try to "login" again
in the same browser it appears to already know who I am (a believe some
cookie or token is being held onto) and doesn't prompt me to login again.
Any ideas anyone?
--
Thanks,
Otis

.

Relevant Pages

  • RedirectFromLoginPage and loops
    ... I've got an Intranet site that's been using the usual Forms authentication. ... Windows authentication checked). ... whether the Login Windows is valid, and then I run a RedirectFromLoginPage. ... With such a code portion, the page loops moebiusly and never goes to the ...
    (microsoft.public.dotnet.framework.aspnet)
  • RedirectFromLoginPage and loop
    ... I've got an Intranet site that's been using the usual Forms authentication. ... Windows authentication checked). ... whether the Login Windows is valid, and then I run a RedirectFromLoginPage. ... With such a code portion, the page loops moebiusly and never goes to the ...
    (microsoft.public.dotnet.general)
  • [Full-Disclosure] Advisory: Dark Age of Camelot - Weak encryption of network traffic exposed persona
    ... Weak encryption in game client exposed customer billing and authentication ... encryption for billing information. ... The login binary has undergone several updates since then. ...
    (Full-Disclosure)
  • RE: How to get the login from IIS in C#
    ... you want to use Windows authentication instead ... client need to login to domain to avoid message box from ... | windows under IIS... ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Websites require a login
    ... It's *my* understanding (and I'm not a security expert) that when using ... integrated windows authentication you are using NTLM authentication or ... Windows 2000 and 2003 via Active Directory. ... That's why the server is requiring a login. ...
    (microsoft.public.dotnet.framework.aspnet)