Windows Authenication Expiration

Discussion in 'ASP .Net Security' started by Michael J. Mooney, May 12, 2004.

  1. Greetings,
    If you set a ASP.NET site up with Windows NT Authentication, is it possible
    to set a session timeout? Currently, it appears that the IIS session will
    timeout after the specified period of time, but if the user keeps the
    browser open, they are never prompted for their credentials again. We would
    like the site to prompt the user for their windows credentials if their IIS
    session times out over a certain period of time.

    Any ideas?

    Thanks,
    Michael J. Mooney
    MCP+SB, MCAD, MCSD
     
    Michael J. Mooney, May 12, 2004
    #1
    1. Advertisements

  2. Michael J. Mooney, May 12, 2004
    #2
    1. Advertisements

  3. Michael J. Mooney

    Ken Schaefer Guest

    AFAIK there are no easy ways to do this anymore. The authentication process
    (and subsequent resending of credentials) is part of the HTTP specification,
    so it's not easy for you to "modify" per se.

    What you are seeing is documented here:
    http://support.microsoft.com/?id=264921
    (scroll right down to the bottom and read the second bullet point under
    "notes")

    You used to be able to do something like use a client-side <meta
    http-equiv="refresh"> or javascript to redirect the user to:
    http://user:/somepage.aspx
    and the browser would then use: user and nonvalidpassword, overriding what
    it was using before. Because the password isn't valid, the user would be
    prompted to supply valid credentials. However, the most recent IE cumulative
    rollup patch means that IE no longer supports user credentials in the URI.

    The only way I can think of are:
    a) Use client-side ActiveX control here:
    http://support.microsoft.com/?id=195192

    b) Use some client-side javascript to close the user's browser (and all
    other IE windows running in the current process) - though this becomes
    painful for the user since they need to reopen all the browser windows again

    c) Programatically send a 403 header to the client (Not Authorized) and
    force the browser to pop-up user credentials dialogue box. You'd need some
    way of making sure that after the initial 403 header, then next header is
    200 if the user credentials are OK.

    Cheers
    Ken

    : Greetings,
    : If you set a ASP.NET site up with Windows NT Authentication, is it
    possible
    : to set a session timeout? Currently, it appears that the IIS session will
    : timeout after the specified period of time, but if the user keeps the
    : browser open, they are never prompted for their credentials again. We
    would
    : like the site to prompt the user for their windows credentials if their
    IIS
    : session times out over a certain period of time.
    :
    : Any ideas?
    :
    : Thanks,
    : Michael J. Mooney
    : MCP+SB, MCAD, MCSD
    :
    :
     
    Ken Schaefer, May 13, 2004
    #3
  4. I have a button on a few applications for changing user credentials in a
    currently logged in web application secured with integrated security. I
    included the code below. It works for changing user credentials but I
    have not tested it for the kind of purpose Michael wants. You should be
    able to hook this into the Aplication level events of the HTTP Pipeline
    but off the top of my head I am not sure what I would do. The
    Global_Authentication (Application_AuthenticateRequest in global.asax)
    seems to be the place I would first go but at that point I don't believe
    you have access to the session. But anyways maybe this will give you
    some ideas.


    private void Button1_Click(object sender, System.EventArgs e)
    {
    HttpCookie chandLogonCookie;
    chandLogonCookie = Request.Cookies["ChangeLogin"];

    try
    {
    if (chandLogonCookie.Value != "true")
    {
    chandLogonCookie = new HttpCookie("ChangeLogin", "true");
    Response.Cookies.Add(chandLogonCookie);
    }
    else
    {
    //Ask IIS to authenticate the user if they are currently anonymous.
    //This may allow a second request to succeed.
    Response.StatusCode = 401;
    Response.StatusDescription = "Unauthorized";
    Response.Write("<h2>You are not authorized to view this page</h2>");
    Response.Cookies["ChangeLogin"].Value = "false";
    }
    }
    catch
    {
    chandLogonCookie = new HttpCookie("ChangeLogin", "false");
    Response.Cookies.Add(chandLogonCookie);
    //Ask IIS to authenticate the user if they are currently anonymous.
    //This may allow a second request to succeed.
    Response.StatusCode = 401;
    Response.StatusDescription = "Unauthorized";
    Response.Write("<h2>Unauthorized...</h2>");
    }
    }
     
    Joseph E Shook [MVP - ADSI], May 14, 2004
    #4
  5. I have a button on a few applications for changing user credentials in a
    currently logged in web application secured with integrated security. I
    included the code below. It works for changing user credentials but I
    have not tested it for the kind of purpose Michael wants. You should be
    able to hook this into the Aplication level events of the HTTP Pipeline
    but off the top of my head I am not sure what I would do. The
    Global_Authentication (Application_AuthenticateRequest in global.asax)
    seems to be the place I would first go but at that point I don't believe
    you have access to the session. But anyways maybe this will give you
    some ideas.


    private void Button1_Click(object sender, System.EventArgs e)
    {
    HttpCookie chandLogonCookie;
    chandLogonCookie = Request.Cookies["ChangeLogin"];

    try
    {
    if (chandLogonCookie.Value != "true")
    {
    chandLogonCookie = new HttpCookie("ChangeLogin", "true");
    Response.Cookies.Add(chandLogonCookie);
    }
    else
    {
    //Ask IIS to authenticate the user if they are currently anonymous.
    //This may allow a second request to succeed.
    Response.StatusCode = 401;
    Response.StatusDescription = "Unauthorized";
    Response.Write("<h2>You are not authorized to view this page</h2>");
    Response.Cookies["ChangeLogin"].Value = "false";
    }
    }
    catch
    {
    chandLogonCookie = new HttpCookie("ChangeLogin", "false");
    Response.Cookies.Add(chandLogonCookie);
    //Ask IIS to authenticate the user if they are currently anonymous.
    //This may allow a second request to succeed.
    Response.StatusCode = 401;
    Response.StatusDescription = "Unauthorized";
    Response.Write("<h2>Unauthorized...</h2>");
    }
    }
     
    Joseph E Shook [MVP - ADSI], May 14, 2004
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.