470,612 Members | 2,471 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 470,612 developers. It's quick & easy.

Windows Authentication Timeout

I have an ASP.NET application that is using Windows Integrated
Authentication (IIS) (as opposed to Forms Authentication).

When the user first logs into the application, IIS prompts the user for
their credentials.
Once they are "authenticated", their credentials remain active while their
web browser is open.

Now, I want the "authentication" to "timeout" in 3 minutes. This way if
they browse to another page after 3 minutes, they are prompted to "re-enter"
their credentials again.

I know that in FormsAuthentication, you can "de-authenticate" someone by
calling "FormsAuthentication.SignOut();" in the Session_End Event in
Global.asax.

Is there anyting like that for Windows Integrated Authentication (IIS)?

(I had posted a similar question in:
microsoft.public.dotnet.framework.aspnet.security, but have not been able to
get a good response. Please excuse me for cross-posting this question, but
I really just need to know if it is even possible...)

Thanks.

-- Will G.
Nov 18 '05 #1
10 13284
when you use integrated security, the credentials are requested for each
page. the browser just kindly tries the old login and password once to see
if it still works. to get the browser to reprompt just respond with a 401
error. you will have to remember that you sent the 401, or they will never
get in again.
-- bruce (sqlwork.com)


"Will Gillen" <g_i_l_l_e_0_0_1_@_n_s_u_o_k_._e_d_u> wrote in message
news:Ov**************@TK2MSFTNGP14.phx.gbl...
| I have an ASP.NET application that is using Windows Integrated
| Authentication (IIS) (as opposed to Forms Authentication).
|
| When the user first logs into the application, IIS prompts the user for
| their credentials.
| Once they are "authenticated", their credentials remain active while their
| web browser is open.
|
| Now, I want the "authentication" to "timeout" in 3 minutes. This way if
| they browse to another page after 3 minutes, they are prompted to
"re-enter"
| their credentials again.
|
| I know that in FormsAuthentication, you can "de-authenticate" someone by
| calling "FormsAuthentication.SignOut();" in the Session_End Event in
| Global.asax.
|
| Is there anyting like that for Windows Integrated Authentication (IIS)?
|
| (I had posted a similar question in:
| microsoft.public.dotnet.framework.aspnet.security, but have not been able
to
| get a good response. Please excuse me for cross-posting this question,
but
| I really just need to know if it is even possible...)
|
| Thanks.
|
| -- Will G.
|
|
Nov 18 '05 #2
I think I understand the approach you suggested.
But, I must be doing something wrong, because now I get prompted twice
during the FIRST request.
Then after the timeout (3 minutes) it does re-prompt me (YES, that's exactly
what I was looking for).
So, what did I do wrong that causes it to prompt me twice during the First
request.

This code is at the top of the Page_Load() method of the page I want to
protect:

If context.Session.Item("USEROBJ") Is Nothing Then
If context.Session.Item("AUTH_PROMPT") = True Then
If context.User.Identity.IsAuthenticated Then
context.Session.Add("USEROBJ", context.User.Identity)
Else
Response.StatusCode = 401
End If
Else
context.Session.Add("AUTH_PROMPT", True)
Response.StatusCode = 401
End If
End If

"bruce barker" <no***********@safeco.com> wrote in message
news:Ok**************@TK2MSFTNGP14.phx.gbl...
when you use integrated security, the credentials are requested for each
page. the browser just kindly tries the old login and password once to see
if it still works. to get the browser to reprompt just respond with a 401
error. you will have to remember that you sent the 401, or they will never
get in again.
-- bruce (sqlwork.com)


"Will Gillen" <g_i_l_l_e_0_0_1_@_n_s_u_o_k_._e_d_u> wrote in message
news:Ov**************@TK2MSFTNGP14.phx.gbl...
| I have an ASP.NET application that is using Windows Integrated
| Authentication (IIS) (as opposed to Forms Authentication).
|
| When the user first logs into the application, IIS prompts the user for
| their credentials.
| Once they are "authenticated", their credentials remain active while their | web browser is open.
|
| Now, I want the "authentication" to "timeout" in 3 minutes. This way if
| they browse to another page after 3 minutes, they are prompted to
"re-enter"
| their credentials again.
|
| I know that in FormsAuthentication, you can "de-authenticate" someone by
| calling "FormsAuthentication.SignOut();" in the Session_End Event in
| Global.asax.
|
| Is there anyting like that for Windows Integrated Authentication (IIS)?
|
| (I had posted a similar question in:
| microsoft.public.dotnet.framework.aspnet.security, but have not been able to
| get a good response. Please excuse me for cross-posting this question,
but
| I really just need to know if it is even possible...)
|
| Thanks.
|
| -- Will G.
|
|

Nov 18 '05 #3
Another way u could do this is to use Javascript to timeout at anytime they
u want..
If u are interested in JS let me know!
"Will Gillen" wrote:
I think I understand the approach you suggested.
But, I must be doing something wrong, because now I get prompted twice
during the FIRST request.
Then after the timeout (3 minutes) it does re-prompt me (YES, that's exactly
what I was looking for).
So, what did I do wrong that causes it to prompt me twice during the First
request.

This code is at the top of the Page_Load() method of the page I want to
protect:

If context.Session.Item("USEROBJ") Is Nothing Then
If context.Session.Item("AUTH_PROMPT") = True Then
If context.User.Identity.IsAuthenticated Then
context.Session.Add("USEROBJ", context.User.Identity)
Else
Response.StatusCode = 401
End If
Else
context.Session.Add("AUTH_PROMPT", True)
Response.StatusCode = 401
End If
End If

"bruce barker" <no***********@safeco.com> wrote in message
news:Ok**************@TK2MSFTNGP14.phx.gbl...
when you use integrated security, the credentials are requested for each
page. the browser just kindly tries the old login and password once to see
if it still works. to get the browser to reprompt just respond with a 401
error. you will have to remember that you sent the 401, or they will never
get in again.
-- bruce (sqlwork.com)


"Will Gillen" <g_i_l_l_e_0_0_1_@_n_s_u_o_k_._e_d_u> wrote in message
news:Ov**************@TK2MSFTNGP14.phx.gbl...
| I have an ASP.NET application that is using Windows Integrated
| Authentication (IIS) (as opposed to Forms Authentication).
|
| When the user first logs into the application, IIS prompts the user for
| their credentials.
| Once they are "authenticated", their credentials remain active while

their
| web browser is open.
|
| Now, I want the "authentication" to "timeout" in 3 minutes. This way if
| they browse to another page after 3 minutes, they are prompted to
"re-enter"
| their credentials again.
|
| I know that in FormsAuthentication, you can "de-authenticate" someone by
| calling "FormsAuthentication.SignOut();" in the Session_End Event in
| Global.asax.
|
| Is there anyting like that for Windows Integrated Authentication (IIS)?
|
| (I had posted a similar question in:
| microsoft.public.dotnet.framework.aspnet.security, but have not been

able
to
| get a good response. Please excuse me for cross-posting this question,
but
| I really just need to know if it is even possible...)
|
| Thanks.
|
| -- Will G.
|
|


Nov 18 '05 #4
I give up...
I'm just going to use FormsAuthentication and write a Login page that will
take the users Windows Domain Credentials and validate them against AD on
the backend. This way I can take advantage of being able to
programmatically control how long a User remains Authenticated. This seems
to be the only approach that will work. Apparently, Windows Authentication
doesn't have a Timeout value that can be set programmatically for ASPX
pages. "Once you're in, you're in" approach seems to be in place. I
understand that SSO (Single Sign-On) is the approach that Windows Integrated
Authentication was going for here, but it seems like programmers should be
able to override this in order to add additional security to certain parts
of their application.

If someone from Microsoft is listening, and can shed some light on this,
please stop me now, and clue me in on the secret...

Thanks.

-- Will Gillen
"Will Gillen" <g_i_l_l_e_0_0_1_@_n_s_u_o_k_._e_d_u> wrote in message
news:Ov**************@TK2MSFTNGP14.phx.gbl...
I have an ASP.NET application that is using Windows Integrated
Authentication (IIS) (as opposed to Forms Authentication).

When the user first logs into the application, IIS prompts the user for
their credentials.
Once they are "authenticated", their credentials remain active while their
web browser is open.

Now, I want the "authentication" to "timeout" in 3 minutes. This way if
they browse to another page after 3 minutes, they are prompted to "re-enter" their credentials again.

I know that in FormsAuthentication, you can "de-authenticate" someone by
calling "FormsAuthentication.SignOut();" in the Session_End Event in
Global.asax.

Is there anyting like that for Windows Integrated Authentication (IIS)?

(I had posted a similar question in:
microsoft.public.dotnet.framework.aspnet.security, but have not been able to get a good response. Please excuse me for cross-posting this question, but I really just need to know if it is even possible...)

Thanks.

-- Will G.

Nov 18 '05 #5
But if on pages you could use Jscript?
To timeout why the stress!!
Patrick
"Will Gillen" wrote:
I give up...
I'm just going to use FormsAuthentication and write a Login page that will
take the users Windows Domain Credentials and validate them against AD on
the backend. This way I can take advantage of being able to
programmatically control how long a User remains Authenticated. This seems
to be the only approach that will work. Apparently, Windows Authentication
doesn't have a Timeout value that can be set programmatically for ASPX
pages. "Once you're in, you're in" approach seems to be in place. I
understand that SSO (Single Sign-On) is the approach that Windows Integrated
Authentication was going for here, but it seems like programmers should be
able to override this in order to add additional security to certain parts
of their application.

If someone from Microsoft is listening, and can shed some light on this,
please stop me now, and clue me in on the secret...

Thanks.

-- Will Gillen
"Will Gillen" <g_i_l_l_e_0_0_1_@_n_s_u_o_k_._e_d_u> wrote in message
news:Ov**************@TK2MSFTNGP14.phx.gbl...
I have an ASP.NET application that is using Windows Integrated
Authentication (IIS) (as opposed to Forms Authentication).

When the user first logs into the application, IIS prompts the user for
their credentials.
Once they are "authenticated", their credentials remain active while their
web browser is open.

Now, I want the "authentication" to "timeout" in 3 minutes. This way if
they browse to another page after 3 minutes, they are prompted to

"re-enter"
their credentials again.

I know that in FormsAuthentication, you can "de-authenticate" someone by
calling "FormsAuthentication.SignOut();" in the Session_End Event in
Global.asax.

Is there anyting like that for Windows Integrated Authentication (IIS)?

(I had posted a similar question in:
microsoft.public.dotnet.framework.aspnet.security, but have not been able

to
get a good response. Please excuse me for cross-posting this question,

but
I really just need to know if it is even possible...)

Thanks.

-- Will G.


Nov 18 '05 #6
Can you provide an example of what you are referring...
You have my attention, I'm willing to explore anything that could keep me
from rewritting half of my code just to accomodate a simple timeout...

Thank you...

-- Will G.
"Patrick.O.Ige" <Pa*********@discussions.microsoft.com> wrote in message
news:76**********************************@microsof t.com...
But if on pages you could use Jscript?
To timeout why the stress!!
Patrick
"Will Gillen" wrote:
I give up...
I'm just going to use FormsAuthentication and write a Login page that will take the users Windows Domain Credentials and validate them against AD on the backend. This way I can take advantage of being able to
programmatically control how long a User remains Authenticated. This seems to be the only approach that will work. Apparently, Windows Authentication doesn't have a Timeout value that can be set programmatically for ASPX
pages. "Once you're in, you're in" approach seems to be in place. I
understand that SSO (Single Sign-On) is the approach that Windows Integrated Authentication was going for here, but it seems like programmers should be able to override this in order to add additional security to certain parts of their application.

If someone from Microsoft is listening, and can shed some light on this,
please stop me now, and clue me in on the secret...

Thanks.

-- Will Gillen
"Will Gillen" <g_i_l_l_e_0_0_1_@_n_s_u_o_k_._e_d_u> wrote in message
news:Ov**************@TK2MSFTNGP14.phx.gbl...
I have an ASP.NET application that is using Windows Integrated
Authentication (IIS) (as opposed to Forms Authentication).

When the user first logs into the application, IIS prompts the user for their credentials.
Once they are "authenticated", their credentials remain active while their web browser is open.

Now, I want the "authentication" to "timeout" in 3 minutes. This way if they browse to another page after 3 minutes, they are prompted to

"re-enter"
their credentials again.

I know that in FormsAuthentication, you can "de-authenticate" someone by calling "FormsAuthentication.SignOut();" in the Session_End Event in
Global.asax.

Is there anyting like that for Windows Integrated Authentication (IIS)?
(I had posted a similar question in:
microsoft.public.dotnet.framework.aspnet.security, but have not been
able to
get a good response. Please excuse me for cross-posting this
question, but
I really just need to know if it is even possible...)

Thanks.

-- Will G.


Nov 18 '05 #7
Hi Will,
Look through this 2 artciles they should help you:-

http://www.extremeexperts.com/Net/Ar...onTimeout.aspx

http://developer.irt.org/script/1563.htm

Enjoy!
"Will Gillen" wrote:
Can you provide an example of what you are referring...
You have my attention, I'm willing to explore anything that could keep me
from rewritting half of my code just to accomodate a simple timeout...

Thank you...

-- Will G.
"Patrick.O.Ige" <Pa*********@discussions.microsoft.com> wrote in message
news:76**********************************@microsof t.com...
But if on pages you could use Jscript?
To timeout why the stress!!
Patrick
"Will Gillen" wrote:
I give up...
I'm just going to use FormsAuthentication and write a Login page that will take the users Windows Domain Credentials and validate them against AD on the backend. This way I can take advantage of being able to
programmatically control how long a User remains Authenticated. This seems to be the only approach that will work. Apparently, Windows Authentication doesn't have a Timeout value that can be set programmatically for ASPX
pages. "Once you're in, you're in" approach seems to be in place. I
understand that SSO (Single Sign-On) is the approach that Windows Integrated Authentication was going for here, but it seems like programmers should be able to override this in order to add additional security to certain parts of their application.

If someone from Microsoft is listening, and can shed some light on this,
please stop me now, and clue me in on the secret...

Thanks.

-- Will Gillen
"Will Gillen" <g_i_l_l_e_0_0_1_@_n_s_u_o_k_._e_d_u> wrote in message
news:Ov**************@TK2MSFTNGP14.phx.gbl...
> I have an ASP.NET application that is using Windows Integrated
> Authentication (IIS) (as opposed to Forms Authentication).
>
> When the user first logs into the application, IIS prompts the user for > their credentials.
> Once they are "authenticated", their credentials remain active while their > web browser is open.
>
> Now, I want the "authentication" to "timeout" in 3 minutes. This way if > they browse to another page after 3 minutes, they are prompted to
"re-enter"
> their credentials again.
>
> I know that in FormsAuthentication, you can "de-authenticate" someone by > calling "FormsAuthentication.SignOut();" in the Session_End Event in
> Global.asax.
>
> Is there anyting like that for Windows Integrated Authentication (IIS)? >
> (I had posted a similar question in:
> microsoft.public.dotnet.framework.aspnet.security, but have not been able to
> get a good response. Please excuse me for cross-posting this question, but
> I really just need to know if it is even possible...)
>
> Thanks.
>
> -- Will G.
>
>


Nov 18 '05 #8
Seems to me this would be extremely annoying for your users - however,
you could try something like Neoteris - sort of an http VPN product -
and make your users authenticate through there.
Nov 18 '05 #9
Ok, the idea to use Javascript to redirect after a certain time to a page
that asks the user to "close their window" is a bit cumbersome. I agree it
would be somewhat annoying...

So, what about this:

I could use FormsAuthentication, and validate the person's Userid/Password
against my backend AD provider. Then I could use Impersonation from that
point so that my NT persmissions still apply on the individual ASPX page(s)
that I want to protect.

Is that correct? Is there a way to use impersonation in this way, so that I
can continue to use my NTFS permissions on the individual files?

I don't mind adding FormsAuthentication if I can still utilize my permission
settings...

Thanks.

-- Will G.
"Jes P" <dy******@hotmail.com> wrote in message
news:e9**************************@posting.google.c om...
Seems to me this would be extremely annoying for your users - however,
you could try something like Neoteris - sort of an http VPN product -
and make your users authenticate through there.

Nov 18 '05 #10
Will i guess u wanted to implement Windows Auth timeout before.the user
musn't close the window u could modify the Jscript to do what u like after
the session timeoout!

If u would be interested with forms auth timeout u could easily implement
that as u explained.Try reading through Web.Config you can do alot there..
GDLUCK!

"Will Gillen" wrote:
Ok, the idea to use Javascript to redirect after a certain time to a page
that asks the user to "close their window" is a bit cumbersome. I agree it
would be somewhat annoying...

So, what about this:

I could use FormsAuthentication, and validate the person's Userid/Password
against my backend AD provider. Then I could use Impersonation from that
point so that my NT persmissions still apply on the individual ASPX page(s)
that I want to protect.

Is that correct? Is there a way to use impersonation in this way, so that I
can continue to use my NTFS permissions on the individual files?

I don't mind adding FormsAuthentication if I can still utilize my permission
settings...

Thanks.

-- Will G.
"Jes P" <dy******@hotmail.com> wrote in message
news:e9**************************@posting.google.c om...
Seems to me this would be extremely annoying for your users - however,
you could try something like Neoteris - sort of an http VPN product -
and make your users authenticate through there.


Nov 18 '05 #11

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

8 posts views Thread by Bob Everland | last post: by
reply views Thread by Mark MacRae | last post: by
reply views Thread by Tom Smit | last post: by
2 posts views Thread by WebBuilder451 | last post: by
reply views Thread by kempshall | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.