Background.
We have a corporate intranet that is (as much as makes no difference)
entirely IIS web servers & IE browsers. We use a standard Windows
domain logon and use active directory. We also have a "standard" user
(like a guest one) that has few privileges.
Web pages are secured and authenticated by manipulating the permissions
on the files and folders within the web. This has been the situation
for a number of years and is relatively set in stone. We use challenge
response to authenticate for web pages.
If a user logs on as the std user and tries to access a web page to
which they have no access, a login box appears. If they are really a
user with the correct credentials they can enter their userid/passwd at
the prompts. As I understand it, it isn't possible to revoke that
authentication (ie for that user to log off and revert to the std user)
without closing down IE and any other browser windows that the user may
have opened whilst "logged on." Is that correct?
Assuming that is correct, how would we manage the following. Imagine an
operation that needs two users to authorise it at the time it happens
(eg a second nurse witnessing the administration of a medicine in a
hospital, or a superviser check on a large transaction.) How could that
second person's credentials be checked against their windows domain
login and subsequently cancelled? Is there really no way to cancel the
1st user's logon either?
I'm fairly new to this so would appreciate some pointers.... i've
pondered with creating session variable "tokens" and all sorts of
things, but would like a nudge in the right direction before I get too
embroiled in all this as the inability to revoke the authentication
always seems to end up scuppering any idea that I have :(
Thanks
--
Paul
