Windows Authentication and Session State

Discussion in 'ASP .Net Security' started by Will Gillen, Nov 8, 2004.

  1. Will Gillen

    Will Gillen Guest

    I have an ASP.NET application that is using windows authentication (basic).
    It prompts the user for their Windows Credentials when they first load the
    page.

    Now, I want to have the "session" timeout in 3 minutes, so that the page
    will again prompt them for their credentials if this timeout has elapsed.

    I have tried setting the "Session.timeout = 3" in the page_load method of
    the page I want to secure.

    I notice that the "Session_End" method in Global.Asax does fire, but the
    Authentication Ticket appears to "stay valid" even after the Session has
    ended.

    Is there a way to force the page to prompt again for Windows Credentials at
    specified timeouts?

    Please let me know.

    Thanks.

    -- Will Gillen
    Will Gillen, Nov 8, 2004
    #1
    1. Advertising

  2. I'm new to .NET, but hopefully you can use this...

    I've included the following code in global.asax:

    protected void Session_End(Object sender, EventArgs e)
    {
    if (User.Identity.IsAuthenticated)
    {
    // User is still authenticated
    FormsAuthentication.SignOut();
    }
    }

    This makes the Authentication Ticket invalid.

    Nico
    Nico den Boer, Nov 9, 2004
    #2
    1. Advertising

  3. Will Gillen

    Will Gillen Guest

    "FormsAuthentication.SignOut();" doesn't appear to work on "Windows
    Integrated" Authentication.

    My application is using "Windows Integrated" Authentication, and not Forms
    based authentication. This means that IIS is handling the authentication
    and creating an identity. M question is: how can I "un-authenticate" the
    identity at a specified time interval (without having to have the users
    close all their browser windows)?

    This approach that you provided is in the direction that I'm looking for,
    but when i tried to implement, it didn't seem to work with "Windows
    Integrated" Authentication.

    Any other ideas?

    -- Will G.


    "Nico den Boer" <> wrote in message
    news:...
    > I'm new to .NET, but hopefully you can use this...
    >
    > I've included the following code in global.asax:
    >
    > protected void Session_End(Object sender, EventArgs e)
    > {
    > if (User.Identity.IsAuthenticated)
    > {
    > // User is still authenticated
    > FormsAuthentication.SignOut();
    > }
    > }
    >
    > This makes the Authentication Ticket invalid.
    >
    > Nico
    >
    >
    Will Gillen, Nov 9, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. shamanthakamani
    Replies:
    1
    Views:
    3,469
    Natty Gur
    Nov 20, 2003
  2. Not Liking Dot Net Today
    Replies:
    0
    Views:
    588
    Not Liking Dot Net Today
    Apr 21, 2004
  3. Maciek
    Replies:
    0
    Views:
    8,223
    Maciek
    Sep 15, 2005
  4. jnickfl1
    Replies:
    0
    Views:
    565
    jnickfl1
    Sep 18, 2006
  5. archana
    Replies:
    0
    Views:
    330
    archana
    Mar 13, 2007
Loading...

Share This Page