Integrated Windows Authentication and Session Timeout.

Discussion in 'ASP .Net Security' started by Sulaiman, Oct 19, 2007.

  1. Sulaiman

    Sulaiman Guest

    The main idea of IWA is to have a single sign on capabilities web site and I
    think it is good if you have a web that cater internal people.
    A few questions coming out from this implementation
    1) How does the C# Windows Authentication work? Does the NTLM handshake only
    happen in the first request? or for every request that get sent to the
    server, it performs NTLM handshake?

    If the NLTM handshake only happens in the first request, how does the server
    maintain the client state? is it through cookie?

    2) In a form based implementation, it is very easy to implement session
    timeout. We initially assigned the user a authentication cookie and just set
    the authentication cookie to expire to say 20 minutes. If it is expired, then
    just redirect to the login page. However in the Windows Authentication
    environment, how you implement session timeout? because as long as the user
    still log in to the Machine, it should never be timeout? What do you guys
    think about this?
    Sulaiman, Oct 19, 2007
    #1
    1. Advertising

  2. Sulaiman

    Sulaiman Guest

    Sorry, maybe I should post with the right terms... I need to differentiate
    between authentication and session state... I made some changes below

    >
    > If the NLTM handshake only happens in the first request, how does the server
    > maintain the client state? is it through cookie?
    >


    How does the server maintain the authentication state? Is it through cookie?
    Sulaiman, Oct 19, 2007
    #2
    1. Advertising

  3. The NTLM credentials are sent on every request, but IIS and the LSA do some
    clever caching so they don't have to do a roundtrip to the registry/a DC
    every time.

    -----
    Dominick Baier (http://www.leastprivilege.com)

    Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

    > Sorry, maybe I should post with the right terms... I need to
    > differentiate between authentication and session state... I made some
    > changes below
    >
    >> If the NLTM handshake only happens in the first request, how does the
    >> server maintain the client state? is it through cookie?
    >>

    > How does the server maintain the authentication state? Is it through
    > cookie?
    >
    Dominick Baier, Oct 24, 2007
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Do
    Replies:
    2
    Views:
    6,342
  2. Mark
    Replies:
    0
    Views:
    665
  3. Brett Smith
    Replies:
    2
    Views:
    441
    Brett Smith
    Oct 26, 2004
  4. Will
    Replies:
    5
    Views:
    2,597
  5. Mark Probert

    Timeout::timeout and Socket timeout

    Mark Probert, Oct 6, 2004, in forum: Ruby
    Replies:
    1
    Views:
    1,268
    Brian Candler
    Oct 6, 2004
Loading...

Share This Page