Windows Authentication Timeout

Discussion in 'ASP .Net' started by Will Gillen, Nov 9, 2004.

  1. Will Gillen

    Will Gillen Guest

    I have an ASP.NET application that is using Windows Integrated
    Authentication (IIS) (as opposed to Forms Authentication).

    When the user first logs into the application, IIS prompts the user for
    their credentials.
    Once they are "authenticated", their credentials remain active while their
    web browser is open.

    Now, I want the "authentication" to "timeout" in 3 minutes. This way if
    they browse to another page after 3 minutes, they are prompted to "re-enter"
    their credentials again.

    I know that in FormsAuthentication, you can "de-authenticate" someone by
    calling "FormsAuthentication.SignOut();" in the Session_End Event in
    Global.asax.

    Is there anyting like that for Windows Integrated Authentication (IIS)?

    (I had posted a similar question in:
    microsoft.public.dotnet.framework.aspnet.security, but have not been able to
    get a good response. Please excuse me for cross-posting this question, but
    I really just need to know if it is even possible...)

    Thanks.

    -- Will G.
    Will Gillen, Nov 9, 2004
    #1
    1. Advertising

  2. Will Gillen

    bruce barker Guest

    when you use integrated security, the credentials are requested for each
    page. the browser just kindly tries the old login and password once to see
    if it still works. to get the browser to reprompt just respond with a 401
    error. you will have to remember that you sent the 401, or they will never
    get in again.


    -- bruce (sqlwork.com)




    "Will Gillen" <g_i_l_l_e_0_0_1_@_n_s_u_o_k_._e_d_u> wrote in message
    news:...
    | I have an ASP.NET application that is using Windows Integrated
    | Authentication (IIS) (as opposed to Forms Authentication).
    |
    | When the user first logs into the application, IIS prompts the user for
    | their credentials.
    | Once they are "authenticated", their credentials remain active while their
    | web browser is open.
    |
    | Now, I want the "authentication" to "timeout" in 3 minutes. This way if
    | they browse to another page after 3 minutes, they are prompted to
    "re-enter"
    | their credentials again.
    |
    | I know that in FormsAuthentication, you can "de-authenticate" someone by
    | calling "FormsAuthentication.SignOut();" in the Session_End Event in
    | Global.asax.
    |
    | Is there anyting like that for Windows Integrated Authentication (IIS)?
    |
    | (I had posted a similar question in:
    | microsoft.public.dotnet.framework.aspnet.security, but have not been able
    to
    | get a good response. Please excuse me for cross-posting this question,
    but
    | I really just need to know if it is even possible...)
    |
    | Thanks.
    |
    | -- Will G.
    |
    |
    bruce barker, Nov 9, 2004
    #2
    1. Advertising

  3. Will Gillen

    Will Gillen Guest

    I think I understand the approach you suggested.
    But, I must be doing something wrong, because now I get prompted twice
    during the FIRST request.
    Then after the timeout (3 minutes) it does re-prompt me (YES, that's exactly
    what I was looking for).
    So, what did I do wrong that causes it to prompt me twice during the First
    request.

    This code is at the top of the Page_Load() method of the page I want to
    protect:

    If context.Session.Item("USEROBJ") Is Nothing Then
    If context.Session.Item("AUTH_PROMPT") = True Then
    If context.User.Identity.IsAuthenticated Then
    context.Session.Add("USEROBJ", context.User.Identity)
    Else
    Response.StatusCode = 401
    End If
    Else
    context.Session.Add("AUTH_PROMPT", True)
    Response.StatusCode = 401
    End If
    End If





    "bruce barker" <> wrote in message
    news:...
    > when you use integrated security, the credentials are requested for each
    > page. the browser just kindly tries the old login and password once to see
    > if it still works. to get the browser to reprompt just respond with a 401
    > error. you will have to remember that you sent the 401, or they will never
    > get in again.
    >
    >
    > -- bruce (sqlwork.com)
    >
    >
    >
    >
    > "Will Gillen" <g_i_l_l_e_0_0_1_@_n_s_u_o_k_._e_d_u> wrote in message
    > news:...
    > | I have an ASP.NET application that is using Windows Integrated
    > | Authentication (IIS) (as opposed to Forms Authentication).
    > |
    > | When the user first logs into the application, IIS prompts the user for
    > | their credentials.
    > | Once they are "authenticated", their credentials remain active while

    their
    > | web browser is open.
    > |
    > | Now, I want the "authentication" to "timeout" in 3 minutes. This way if
    > | they browse to another page after 3 minutes, they are prompted to
    > "re-enter"
    > | their credentials again.
    > |
    > | I know that in FormsAuthentication, you can "de-authenticate" someone by
    > | calling "FormsAuthentication.SignOut();" in the Session_End Event in
    > | Global.asax.
    > |
    > | Is there anyting like that for Windows Integrated Authentication (IIS)?
    > |
    > | (I had posted a similar question in:
    > | microsoft.public.dotnet.framework.aspnet.security, but have not been

    able
    > to
    > | get a good response. Please excuse me for cross-posting this question,
    > but
    > | I really just need to know if it is even possible...)
    > |
    > | Thanks.
    > |
    > | -- Will G.
    > |
    > |
    >
    >
    Will Gillen, Nov 9, 2004
    #3
  4. Another way u could do this is to use Javascript to timeout at anytime they
    u want..
    If u are interested in JS let me know!


    "Will Gillen" wrote:

    > I think I understand the approach you suggested.
    > But, I must be doing something wrong, because now I get prompted twice
    > during the FIRST request.
    > Then after the timeout (3 minutes) it does re-prompt me (YES, that's exactly
    > what I was looking for).
    > So, what did I do wrong that causes it to prompt me twice during the First
    > request.
    >
    > This code is at the top of the Page_Load() method of the page I want to
    > protect:
    >
    > If context.Session.Item("USEROBJ") Is Nothing Then
    > If context.Session.Item("AUTH_PROMPT") = True Then
    > If context.User.Identity.IsAuthenticated Then
    > context.Session.Add("USEROBJ", context.User.Identity)
    > Else
    > Response.StatusCode = 401
    > End If
    > Else
    > context.Session.Add("AUTH_PROMPT", True)
    > Response.StatusCode = 401
    > End If
    > End If
    >
    >
    >
    >
    >
    > "bruce barker" <> wrote in message
    > news:...
    > > when you use integrated security, the credentials are requested for each
    > > page. the browser just kindly tries the old login and password once to see
    > > if it still works. to get the browser to reprompt just respond with a 401
    > > error. you will have to remember that you sent the 401, or they will never
    > > get in again.
    > >
    > >
    > > -- bruce (sqlwork.com)
    > >
    > >
    > >
    > >
    > > "Will Gillen" <g_i_l_l_e_0_0_1_@_n_s_u_o_k_._e_d_u> wrote in message
    > > news:...
    > > | I have an ASP.NET application that is using Windows Integrated
    > > | Authentication (IIS) (as opposed to Forms Authentication).
    > > |
    > > | When the user first logs into the application, IIS prompts the user for
    > > | their credentials.
    > > | Once they are "authenticated", their credentials remain active while

    > their
    > > | web browser is open.
    > > |
    > > | Now, I want the "authentication" to "timeout" in 3 minutes. This way if
    > > | they browse to another page after 3 minutes, they are prompted to
    > > "re-enter"
    > > | their credentials again.
    > > |
    > > | I know that in FormsAuthentication, you can "de-authenticate" someone by
    > > | calling "FormsAuthentication.SignOut();" in the Session_End Event in
    > > | Global.asax.
    > > |
    > > | Is there anyting like that for Windows Integrated Authentication (IIS)?
    > > |
    > > | (I had posted a similar question in:
    > > | microsoft.public.dotnet.framework.aspnet.security, but have not been

    > able
    > > to
    > > | get a good response. Please excuse me for cross-posting this question,
    > > but
    > > | I really just need to know if it is even possible...)
    > > |
    > > | Thanks.
    > > |
    > > | -- Will G.
    > > |
    > > |
    > >
    > >

    >
    >
    >
    =?Utf-8?B?UGF0cmljay5PLklnZQ==?=, Nov 9, 2004
    #4
  5. Will Gillen

    Will Gillen Guest

    I give up...
    I'm just going to use FormsAuthentication and write a Login page that will
    take the users Windows Domain Credentials and validate them against AD on
    the backend. This way I can take advantage of being able to
    programmatically control how long a User remains Authenticated. This seems
    to be the only approach that will work. Apparently, Windows Authentication
    doesn't have a Timeout value that can be set programmatically for ASPX
    pages. "Once you're in, you're in" approach seems to be in place. I
    understand that SSO (Single Sign-On) is the approach that Windows Integrated
    Authentication was going for here, but it seems like programmers should be
    able to override this in order to add additional security to certain parts
    of their application.

    If someone from Microsoft is listening, and can shed some light on this,
    please stop me now, and clue me in on the secret...

    Thanks.

    -- Will Gillen


    "Will Gillen" <g_i_l_l_e_0_0_1_@_n_s_u_o_k_._e_d_u> wrote in message
    news:...
    > I have an ASP.NET application that is using Windows Integrated
    > Authentication (IIS) (as opposed to Forms Authentication).
    >
    > When the user first logs into the application, IIS prompts the user for
    > their credentials.
    > Once they are "authenticated", their credentials remain active while their
    > web browser is open.
    >
    > Now, I want the "authentication" to "timeout" in 3 minutes. This way if
    > they browse to another page after 3 minutes, they are prompted to

    "re-enter"
    > their credentials again.
    >
    > I know that in FormsAuthentication, you can "de-authenticate" someone by
    > calling "FormsAuthentication.SignOut();" in the Session_End Event in
    > Global.asax.
    >
    > Is there anyting like that for Windows Integrated Authentication (IIS)?
    >
    > (I had posted a similar question in:
    > microsoft.public.dotnet.framework.aspnet.security, but have not been able

    to
    > get a good response. Please excuse me for cross-posting this question,

    but
    > I really just need to know if it is even possible...)
    >
    > Thanks.
    >
    > -- Will G.
    >
    >
    Will Gillen, Nov 10, 2004
    #5
  6. But if on pages you could use Jscript?
    To timeout why the stress!!
    Patrick


    "Will Gillen" wrote:

    > I give up...
    > I'm just going to use FormsAuthentication and write a Login page that will
    > take the users Windows Domain Credentials and validate them against AD on
    > the backend. This way I can take advantage of being able to
    > programmatically control how long a User remains Authenticated. This seems
    > to be the only approach that will work. Apparently, Windows Authentication
    > doesn't have a Timeout value that can be set programmatically for ASPX
    > pages. "Once you're in, you're in" approach seems to be in place. I
    > understand that SSO (Single Sign-On) is the approach that Windows Integrated
    > Authentication was going for here, but it seems like programmers should be
    > able to override this in order to add additional security to certain parts
    > of their application.
    >
    > If someone from Microsoft is listening, and can shed some light on this,
    > please stop me now, and clue me in on the secret...
    >
    > Thanks.
    >
    > -- Will Gillen
    >
    >
    > "Will Gillen" <g_i_l_l_e_0_0_1_@_n_s_u_o_k_._e_d_u> wrote in message
    > news:...
    > > I have an ASP.NET application that is using Windows Integrated
    > > Authentication (IIS) (as opposed to Forms Authentication).
    > >
    > > When the user first logs into the application, IIS prompts the user for
    > > their credentials.
    > > Once they are "authenticated", their credentials remain active while their
    > > web browser is open.
    > >
    > > Now, I want the "authentication" to "timeout" in 3 minutes. This way if
    > > they browse to another page after 3 minutes, they are prompted to

    > "re-enter"
    > > their credentials again.
    > >
    > > I know that in FormsAuthentication, you can "de-authenticate" someone by
    > > calling "FormsAuthentication.SignOut();" in the Session_End Event in
    > > Global.asax.
    > >
    > > Is there anyting like that for Windows Integrated Authentication (IIS)?
    > >
    > > (I had posted a similar question in:
    > > microsoft.public.dotnet.framework.aspnet.security, but have not been able

    > to
    > > get a good response. Please excuse me for cross-posting this question,

    > but
    > > I really just need to know if it is even possible...)
    > >
    > > Thanks.
    > >
    > > -- Will G.
    > >
    > >

    >
    >
    >
    =?Utf-8?B?UGF0cmljay5PLklnZQ==?=, Nov 11, 2004
    #6
  7. Will Gillen

    Will Gillen Guest

    Can you provide an example of what you are referring...
    You have my attention, I'm willing to explore anything that could keep me
    from rewritting half of my code just to accomodate a simple timeout...

    Thank you...

    -- Will G.


    "Patrick.O.Ige" <> wrote in message
    news:...
    > But if on pages you could use Jscript?
    > To timeout why the stress!!
    > Patrick
    >
    >
    > "Will Gillen" wrote:
    >
    > > I give up...
    > > I'm just going to use FormsAuthentication and write a Login page that

    will
    > > take the users Windows Domain Credentials and validate them against AD

    on
    > > the backend. This way I can take advantage of being able to
    > > programmatically control how long a User remains Authenticated. This

    seems
    > > to be the only approach that will work. Apparently, Windows

    Authentication
    > > doesn't have a Timeout value that can be set programmatically for ASPX
    > > pages. "Once you're in, you're in" approach seems to be in place. I
    > > understand that SSO (Single Sign-On) is the approach that Windows

    Integrated
    > > Authentication was going for here, but it seems like programmers should

    be
    > > able to override this in order to add additional security to certain

    parts
    > > of their application.
    > >
    > > If someone from Microsoft is listening, and can shed some light on this,
    > > please stop me now, and clue me in on the secret...
    > >
    > > Thanks.
    > >
    > > -- Will Gillen
    > >
    > >
    > > "Will Gillen" <g_i_l_l_e_0_0_1_@_n_s_u_o_k_._e_d_u> wrote in message
    > > news:...
    > > > I have an ASP.NET application that is using Windows Integrated
    > > > Authentication (IIS) (as opposed to Forms Authentication).
    > > >
    > > > When the user first logs into the application, IIS prompts the user

    for
    > > > their credentials.
    > > > Once they are "authenticated", their credentials remain active while

    their
    > > > web browser is open.
    > > >
    > > > Now, I want the "authentication" to "timeout" in 3 minutes. This way

    if
    > > > they browse to another page after 3 minutes, they are prompted to

    > > "re-enter"
    > > > their credentials again.
    > > >
    > > > I know that in FormsAuthentication, you can "de-authenticate" someone

    by
    > > > calling "FormsAuthentication.SignOut();" in the Session_End Event in
    > > > Global.asax.
    > > >
    > > > Is there anyting like that for Windows Integrated Authentication

    (IIS)?
    > > >
    > > > (I had posted a similar question in:
    > > > microsoft.public.dotnet.framework.aspnet.security, but have not been

    able
    > > to
    > > > get a good response. Please excuse me for cross-posting this

    question,
    > > but
    > > > I really just need to know if it is even possible...)
    > > >
    > > > Thanks.
    > > >
    > > > -- Will G.
    > > >
    > > >

    > >
    > >
    > >
    Will Gillen, Nov 11, 2004
    #7
  8. Hi Will,
    Look through this 2 artciles they should help you:-

    http://www.extremeexperts.com/Net/Articles/RedirectingPageAfterSessionTimeout.aspx

    http://developer.irt.org/script/1563.htm

    Enjoy!


    "Will Gillen" wrote:

    > Can you provide an example of what you are referring...
    > You have my attention, I'm willing to explore anything that could keep me
    > from rewritting half of my code just to accomodate a simple timeout...
    >
    > Thank you...
    >
    > -- Will G.
    >
    >
    > "Patrick.O.Ige" <> wrote in message
    > news:...
    > > But if on pages you could use Jscript?
    > > To timeout why the stress!!
    > > Patrick
    > >
    > >
    > > "Will Gillen" wrote:
    > >
    > > > I give up...
    > > > I'm just going to use FormsAuthentication and write a Login page that

    > will
    > > > take the users Windows Domain Credentials and validate them against AD

    > on
    > > > the backend. This way I can take advantage of being able to
    > > > programmatically control how long a User remains Authenticated. This

    > seems
    > > > to be the only approach that will work. Apparently, Windows

    > Authentication
    > > > doesn't have a Timeout value that can be set programmatically for ASPX
    > > > pages. "Once you're in, you're in" approach seems to be in place. I
    > > > understand that SSO (Single Sign-On) is the approach that Windows

    > Integrated
    > > > Authentication was going for here, but it seems like programmers should

    > be
    > > > able to override this in order to add additional security to certain

    > parts
    > > > of their application.
    > > >
    > > > If someone from Microsoft is listening, and can shed some light on this,
    > > > please stop me now, and clue me in on the secret...
    > > >
    > > > Thanks.
    > > >
    > > > -- Will Gillen
    > > >
    > > >
    > > > "Will Gillen" <g_i_l_l_e_0_0_1_@_n_s_u_o_k_._e_d_u> wrote in message
    > > > news:...
    > > > > I have an ASP.NET application that is using Windows Integrated
    > > > > Authentication (IIS) (as opposed to Forms Authentication).
    > > > >
    > > > > When the user first logs into the application, IIS prompts the user

    > for
    > > > > their credentials.
    > > > > Once they are "authenticated", their credentials remain active while

    > their
    > > > > web browser is open.
    > > > >
    > > > > Now, I want the "authentication" to "timeout" in 3 minutes. This way

    > if
    > > > > they browse to another page after 3 minutes, they are prompted to
    > > > "re-enter"
    > > > > their credentials again.
    > > > >
    > > > > I know that in FormsAuthentication, you can "de-authenticate" someone

    > by
    > > > > calling "FormsAuthentication.SignOut();" in the Session_End Event in
    > > > > Global.asax.
    > > > >
    > > > > Is there anyting like that for Windows Integrated Authentication

    > (IIS)?
    > > > >
    > > > > (I had posted a similar question in:
    > > > > microsoft.public.dotnet.framework.aspnet.security, but have not been

    > able
    > > > to
    > > > > get a good response. Please excuse me for cross-posting this

    > question,
    > > > but
    > > > > I really just need to know if it is even possible...)
    > > > >
    > > > > Thanks.
    > > > >
    > > > > -- Will G.
    > > > >
    > > > >
    > > >
    > > >
    > > >

    >
    >
    >
    =?Utf-8?B?UGF0cmljay5PLklnZQ==?=, Nov 11, 2004
    #8
  9. Will Gillen

    Jes P Guest

    Seems to me this would be extremely annoying for your users - however,
    you could try something like Neoteris - sort of an http VPN product -
    and make your users authenticate through there.
    Jes P, Nov 15, 2004
    #9
  10. Will Gillen

    Will Gillen Guest

    Ok, the idea to use Javascript to redirect after a certain time to a page
    that asks the user to "close their window" is a bit cumbersome. I agree it
    would be somewhat annoying...

    So, what about this:

    I could use FormsAuthentication, and validate the person's Userid/Password
    against my backend AD provider. Then I could use Impersonation from that
    point so that my NT persmissions still apply on the individual ASPX page(s)
    that I want to protect.

    Is that correct? Is there a way to use impersonation in this way, so that I
    can continue to use my NTFS permissions on the individual files?

    I don't mind adding FormsAuthentication if I can still utilize my permission
    settings...

    Thanks.

    -- Will G.


    "Jes P" <> wrote in message
    news:...
    > Seems to me this would be extremely annoying for your users - however,
    > you could try something like Neoteris - sort of an http VPN product -
    > and make your users authenticate through there.
    Will Gillen, Nov 15, 2004
    #10
  11. Will i guess u wanted to implement Windows Auth timeout before.the user
    musn't close the window u could modify the Jscript to do what u like after
    the session timeoout!

    If u would be interested with forms auth timeout u could easily implement
    that as u explained.Try reading through Web.Config you can do alot there..
    GDLUCK!





    "Will Gillen" wrote:

    > Ok, the idea to use Javascript to redirect after a certain time to a page
    > that asks the user to "close their window" is a bit cumbersome. I agree it
    > would be somewhat annoying...
    >
    > So, what about this:
    >
    > I could use FormsAuthentication, and validate the person's Userid/Password
    > against my backend AD provider. Then I could use Impersonation from that
    > point so that my NT persmissions still apply on the individual ASPX page(s)
    > that I want to protect.
    >
    > Is that correct? Is there a way to use impersonation in this way, so that I
    > can continue to use my NTFS permissions on the individual files?
    >
    > I don't mind adding FormsAuthentication if I can still utilize my permission
    > settings...
    >
    > Thanks.
    >
    > -- Will G.
    >
    >
    > "Jes P" <> wrote in message
    > news:...
    > > Seems to me this would be extremely annoying for your users - however,
    > > you could try something like Neoteris - sort of an http VPN product -
    > > and make your users authenticate through there.

    >
    >
    >
    =?Utf-8?B?UGF0cmljay5PLklnZQ==?=, Nov 15, 2004
    #11
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Do
    Replies:
    2
    Views:
    6,342
  2. Freddie
    Replies:
    0
    Views:
    223
    Freddie
    Jun 29, 2004
  3. Will Gillen

    Windows Authentication Timeout

    Will Gillen, Nov 10, 2004, in forum: ASP .Net Security
    Replies:
    8
    Views:
    386
    Jim Cheshire [MSFT]
    Nov 16, 2004
  4. jonefer

    Handling Session Timeout in Windows authentication

    jonefer, Feb 6, 2007, in forum: ASP .Net Security
    Replies:
    0
    Views:
    296
    jonefer
    Feb 6, 2007
  5. Mark Probert

    Timeout::timeout and Socket timeout

    Mark Probert, Oct 6, 2004, in forum: Ruby
    Replies:
    1
    Views:
    1,268
    Brian Candler
    Oct 6, 2004
Loading...

Share This Page