How to force reauthentication of a Web service client (Basic auth)

A

Alek Davis

Sorry for cross-posting, but I am not quite sure where this question belongs
(maybe it should be addressed to some other group).

I have a Web service (IIS/ASP.NET) configured to run under Basic
authentication (anonymous access is disabled along with intergated Windows
and digest authentication). I have another server application (RPC server/NT
service) running on a different machine, which calls this Web service. The
client applications, which call the RPC server, must provide user's
credentials, which the RPC server will use for Basic authentication when
calling the Web service.

What I noticed is that after the first client provides valid credentials and
the RPC server successfully calls the Web service, any other client making
calls after that can provide invalid credentials (or no credentials at all),
but the RPC server can still call the Web service. It looks like the first
valid credentials are cached somewhere for a certain period of time, because
after inactivity (not sure how long, but it looks like half an hour or so),
the RPC server must reauthenticate (I also need to reauthenticate after
restarting the RPC server or starting another instance). This is a potential
security problem, so I would like to force reauthentication on every call to
prevent different clients from "piggybacking" on the credentials of the
first successful client, but I cannot figure out what I need to do. All of
the RPC calls are stateless, which means that any Web service proxy objects
go out of scope after the calls are complete. Even though my original
application involves a mix of C/C# code (using COM Interop), I can duplicate
the same behavior from a simple Windows Forms (C#) application calling a Web
service. Could someone explain why the consecutive calls use the cached
(whatever this means) Basic credentials? Is there a way to disable caching
of credentials between the Web service method calls? The closest info, which
looks more-or-less relevant, I was able to find, addresses a similar problem
of the Web Browser control (http://support.microsoft.com/?id=195192), but it
does not seem to help me solve the problem. Any hints? Is it possible to
clear "cached" credentials when making SOAP calls from a
SoapHttpClientProtocol-derived class?

Thanks,

Alek
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,995
Messages
2,570,230
Members
46,818
Latest member
Brigette36

Latest Threads

Top