Windows Authentication and Session State

[Will Gillen]

I have an ASP.NET application that is using windows authentication (basic).
It prompts the user for their Windows Credentials when they first load the
page.

Now, I want to have the "session" timeout in 3 minutes, so that the page
will again prompt them for their credentials if this timeout has elapsed.

I have tried setting the "Session.timeout = 3" in the page_load method of
the page I want to secure.

I notice that the "Session_End" method in Global.Asax does fire, but the
Authentication Ticket appears to "stay valid" even after the Session has
ended.

Is there a way to force the page to prompt again for Windows Credentials at
specified timeouts?

Please let me know.

Thanks.

-- Will Gillen

 

[Nico den Boer]

I'm new to .NET, but hopefully you can use this...

I've included the following code in global.asax:

protected void Session_End(Object sender, EventArgs e)
{
if (User.Identity.IsAuthenticated)
{
// User is still authenticated
FormsAuthentication.SignOut();
}
}

This makes the Authentication Ticket invalid.

Nico

 

[Will Gillen]

"FormsAuthentication.SignOut();" doesn't appear to work on "Windows
Integrated" Authentication.

My application is using "Windows Integrated" Authentication, and not Forms
based authentication. This means that IIS is handling the authentication
and creating an identity. M question is: how can I "un-authenticate" the
identity at a specified time interval (without having to have the users
close all their browser windows)?

This approach that you provided is in the direction that I'm looking for,
but when i tried to implement, it didn't seem to work with "Windows
Integrated" Authentication.

Any other ideas?

-- Will G.