Windows Authentication Timeout

[Will Gillen]

I have an ASP.NET application that is using Windows Integrated
Authentication (IIS) (as opposed to Forms Authentication).

When the user first logs into the application, IIS prompts the user for
their credentials.
Once they are "authenticated", their credentials remain active while their
web browser is open.

Now, I want the "authentication" to "timeout" in 3 minutes. This way if
they browse to another page after 3 minutes, they are prompted to "re-enter"
their credentials again.

I know that in FormsAuthentication, you can "de-authenticate" someone by
calling "FormsAuthentication.SignOut();" in the Session_End Event in
Global.asax.

Is there anyting like that for Windows Integrated Authentication (IIS)?

(I had posted a similar question in:
microsoft.public.dotnet.framework.aspnet.security, but have not been able to
get a good response. Please excuse me for cross-posting this question, but
I really just need to know if it is even possible...)

Thanks.

-- Will G.

 

[bruce barker]

when you use integrated security, the credentials are requested for each
page. the browser just kindly tries the old login and password once to see
if it still works. to get the browser to reprompt just respond with a 401
error. you will have to remember that you sent the 401, or they will never
get in again.


-- bruce (sqlwork.com)




| I have an ASP.NET application that is using Windows Integrated
| Authentication (IIS) (as opposed to Forms Authentication).
|
| When the user first logs into the application, IIS prompts the user for
| their credentials.
| Once they are "authenticated", their credentials remain active while their
| web browser is open.
|
| Now, I want the "authentication" to "timeout" in 3 minutes. This way if
| they browse to another page after 3 minutes, they are prompted to
"re-enter"
| their credentials again.
|
| I know that in FormsAuthentication, you can "de-authenticate" someone by
| calling "FormsAuthentication.SignOut();" in the Session_End Event in
| Global.asax.
|
| Is there anyting like that for Windows Integrated Authentication (IIS)?
|
| (I had posted a similar question in:
| microsoft.public.dotnet.framework.aspnet.security, but have not been able
to
| get a good response. Please excuse me for cross-posting this question,
but
| I really just need to know if it is even possible...)
|
| Thanks.
|
| -- Will G.
|
|

 

[Will Gillen]

I think I understand the approach you suggested.
But, I must be doing something wrong, because now I get prompted twice
during the FIRST request.
Then after the timeout (3 minutes) it does re-prompt me (YES, that's exactly
what I was looking for).
So, what did I do wrong that causes it to prompt me twice during the First
request.

This code is at the top of the Page_Load() method of the page I want to
protect:

If context.Session.Item("USEROBJ") Is Nothing Then
If context.Session.Item("AUTH_PROMPT") = True Then
If context.User.Identity.IsAuthenticated Then
context.Session.Add("USEROBJ", context.User.Identity)
Else
Response.StatusCode = 401
End If
Else
context.Session.Add("AUTH_PROMPT", True)
Response.StatusCode = 401
End If
End If

 

[Guest]

Another way u could do this is to use Javascript to timeout at anytime they
u want..
If u are interested in JS let me know!

 

[Will Gillen]

I give up...
I'm just going to use FormsAuthentication and write a Login page that will
take the users Windows Domain Credentials and validate them against AD on
the backend. This way I can take advantage of being able to
programmatically control how long a User remains Authenticated. This seems
to be the only approach that will work. Apparently, Windows Authentication
doesn't have a Timeout value that can be set programmatically for ASPX
pages. "Once you're in, you're in" approach seems to be in place. I
understand that SSO (Single Sign-On) is the approach that Windows Integrated
Authentication was going for here, but it seems like programmers should be
able to override this in order to add additional security to certain parts
of their application.

If someone from Microsoft is listening, and can shed some light on this,
please stop me now, and clue me in on the secret...

Thanks.

-- Will Gillen

 

[Guest]

But if on pages you could use Jscript?
To timeout why the stress!!
Patrick

 

[Will Gillen]

Can you provide an example of what you are referring...
You have my attention, I'm willing to explore anything that could keep me
from rewritting half of my code just to accomodate a simple timeout...

Thank you...

-- Will G.

 

[Guest]

Hi Will,
Look through this 2 artciles they should help you:-

http://www.extremeexperts.com/Net/Articles/RedirectingPageAfterSessionTimeout.aspx

http://developer.irt.org/script/1563.htm

Enjoy!

 

[Jes P]

Seems to me this would be extremely annoying for your users - however,
you could try something like Neoteris - sort of an http VPN product -
and make your users authenticate through there.

 

[Will Gillen]

Ok, the idea to use Javascript to redirect after a certain time to a page
that asks the user to "close their window" is a bit cumbersome. I agree it
would be somewhat annoying...

So, what about this:

I could use FormsAuthentication, and validate the person's Userid/Password
against my backend AD provider. Then I could use Impersonation from that
point so that my NT persmissions still apply on the individual ASPX page(s)
that I want to protect.

Is that correct? Is there a way to use impersonation in this way, so that I
can continue to use my NTFS permissions on the individual files?

I don't mind adding FormsAuthentication if I can still utilize my permission
settings...

Thanks.

-- Will G.

 

[Guest]

Will i guess u wanted to implement Windows Auth timeout before.the user
musn't close the window u could modify the Jscript to do what u like after
the session timeoout!

If u would be interested with forms auth timeout u could easily implement
that as u explained.Try reading through Web.Config you can do alot there..
GDLUCK!