How to force reauthentication of a Web service client (Basic auth)

Discussion in 'ASP .Net Security' started by Alek Davis, Oct 24, 2003.

  1. Alek Davis

    Alek Davis Guest

    Sorry for cross-posting, but I am not quite sure where this question belongs
    (maybe it should be addressed to some other group).

    I have a Web service (IIS/ASP.NET) configured to run under Basic
    authentication (anonymous access is disabled along with intergated Windows
    and digest authentication). I have another server application (RPC server/NT
    service) running on a different machine, which calls this Web service. The
    client applications, which call the RPC server, must provide user's
    credentials, which the RPC server will use for Basic authentication when
    calling the Web service.

    What I noticed is that after the first client provides valid credentials and
    the RPC server successfully calls the Web service, any other client making
    calls after that can provide invalid credentials (or no credentials at all),
    but the RPC server can still call the Web service. It looks like the first
    valid credentials are cached somewhere for a certain period of time, because
    after inactivity (not sure how long, but it looks like half an hour or so),
    the RPC server must reauthenticate (I also need to reauthenticate after
    restarting the RPC server or starting another instance). This is a potential
    security problem, so I would like to force reauthentication on every call to
    prevent different clients from "piggybacking" on the credentials of the
    first successful client, but I cannot figure out what I need to do. All of
    the RPC calls are stateless, which means that any Web service proxy objects
    go out of scope after the calls are complete. Even though my original
    application involves a mix of C/C# code (using COM Interop), I can duplicate
    the same behavior from a simple Windows Forms (C#) application calling a Web
    service. Could someone explain why the consecutive calls use the cached
    (whatever this means) Basic credentials? Is there a way to disable caching
    of credentials between the Web service method calls? The closest info, which
    looks more-or-less relevant, I was able to find, addresses a similar problem
    of the Web Browser control (, but it
    does not seem to help me solve the problem. Any hints? Is it possible to
    clear "cached" credentials when making SOAP calls from a
    SoapHttpClientProtocol-derived class?


    Alek Davis, Oct 24, 2003
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?Q2hyaXMgTW9oYW4=?=

    Configuring Windows Auth & Forms Auth in Asp.Net

    =?Utf-8?B?Q2hyaXMgTW9oYW4=?=, Apr 28, 2004, in forum: ASP .Net
    Apr 28, 2004
  2. =?Utf-8?B?ZGhucml2ZXJzaWRl?=

    Windows Auth, but Forms Auth for one page?

    =?Utf-8?B?ZGhucml2ZXJzaWRl?=, Jan 8, 2005, in forum: ASP .Net
    Elton Wang
    Jan 8, 2005
  3. Mark Chai
    Christophe Vanfleteren
    Oct 1, 2003
  4. JGH
  5. Andrew_Revinsky

    Forcing Reauthentication for a Webform with NTLM auth..ion

    Andrew_Revinsky, Jul 9, 2004, in forum: ASP .Net Security
    Ian Ringrose
    Jul 14, 2004

Share This Page