Windows Authenication Expiration

[Michael J. Mooney]

Greetings,
If you set a ASP.NET site up with Windows NT Authentication, is it possible
to set a session timeout? Currently, it appears that the IIS session will
timeout after the specified period of time, but if the user keeps the
browser open, they are never prompted for their credentials again. We would
like the site to prompt the user for their windows credentials if their IIS
session times out over a certain period of time.

Any ideas?

Thanks,
Michael J. Mooney
MCP+SB, MCAD, MCSD

[Michael J. Mooney]

BTW, I would like to avoid doing the Windows/Forms Authenication scheme
described here:
[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnaspp/html/mixedsecurity.asp[/url]

Thanks,
Michael J. Mooney
MCP+SB, MCAD, MCSD

"Michael J. Mooney" <mike_mooney@_yahoo.com.NOSPAM> wrote in message
news:O%23gUi2COEHA.624@TK2MSFTNGP11.phx.gbl...

> Greetings,
> If you set a ASP.NET site up with Windows NT Authentication, is it

possible

> to set a session timeout? Currently, it appears that the IIS session will
> timeout after the specified period of time, but if the user keeps the
> browser open, they are never prompted for their credentials again. We

would

> like the site to prompt the user for their windows credentials if their

IIS

> session times out over a certain period of time.
>
> Any ideas?
>
> Thanks,
> Michael J. Mooney
> MCP+SB, MCAD, MCSD
>
>

[Ken Schaefer]

AFAIK there are no easy ways to do this anymore. The authentication process
(and subsequent resending of credentials) is part of the HTTP specification,
so it's not easy for you to "modify" per se.

What you are seeing is documented here:
[url]http://support.microsoft.com/?id=264921[/url]
(scroll right down to the bottom and read the second bullet point under
"notes")

You used to be able to do something like use a client-side <meta
http-equiv="refresh"> or javascript to redirect the user to:
[url]http://user:nonvalidpassword@www.yoursite.com/somepage.aspx[/url]
and the browser would then use: user and nonvalidpassword, overriding what
it was using before. Because the password isn't valid, the user would be
prompted to supply valid credentials. However, the most recent IE cumulative
rollup patch means that IE no longer supports user credentials in the URI.

The only way I can think of are:
a) Use client-side ActiveX control here:
[url]http://support.microsoft.com/?id=195192[/url]

b) Use some client-side javascript to close the user's browser (and all
other IE windows running in the current process) - though this becomes
painful for the user since they need to reopen all the browser windows again

c) Programatically send a 403 header to the client (Not Authorized) and
force the browser to pop-up user credentials dialogue box. You'd need some
way of making sure that after the initial 403 header, then next header is
200 if the user credentials are OK.

Cheers
Ken

"Michael J. Mooney" <mike_mooney@_yahoo.com.NOSPAM> wrote in message
news:O%23gUi2COEHA.624@TK2MSFTNGP11.phx.gbl...
: Greetings,
: If you set a ASP.NET site up with Windows NT Authentication, is it
possible
: to set a session timeout? Currently, it appears that the IIS session will
: timeout after the specified period of time, but if the user keeps the
: browser open, they are never prompted for their credentials again. We
would
: like the site to prompt the user for their windows credentials if their
IIS
: session times out over a certain period of time.
:
: Any ideas?
:
: Thanks,
: Michael J. Mooney
: MCP+SB, MCAD, MCSD
:
:

[Joseph E Shook [MVP - ADSI]]

I have a button on a few applications for changing user credentials in a
currently logged in web application secured with integrated security. I
included the code below. It works for changing user credentials but I
have not tested it for the kind of purpose Michael wants. You should be
able to hook this into the Aplication level events of the HTTP Pipeline
but off the top of my head I am not sure what I would do. The
Global_Authentication (Application_AuthenticateRequest in global.asax)
seems to be the place I would first go but at that point I don't believe
you have access to the session. But anyways maybe this will give you
some ideas.


private void Button1_Click(object sender, System.EventArgs e)
{
HttpCookie chandLogonCookie;
chandLogonCookie = Request.Cookies["ChangeLogin"];

try
{
if (chandLogonCookie.Value != "true")
{
chandLogonCookie = new HttpCookie("ChangeLogin", "true");
Response.Cookies.Add(chandLogonCookie);
}
else
{
//Ask IIS to authenticate the user if they are currently anonymous.
//This may allow a second request to succeed.
Response.StatusCode = 401;
Response.StatusDescription = "Unauthorized";
Response.Write("<h2>You are not authorized to view this page</h2>");
Response.Cookies["ChangeLogin"].Value = "false";
}
}
catch
{
chandLogonCookie = new HttpCookie("ChangeLogin", "false");
Response.Cookies.Add(chandLogonCookie);
//Ask IIS to authenticate the user if they are currently anonymous.
//This may allow a second request to succeed.
Response.StatusCode = 401;
Response.StatusDescription = "Unauthorized";
Response.Write("<h2>Unauthorized...</h2>");
}
}




Ken Schaefer wrote:

> AFAIK there are no easy ways to do this anymore. The authentication process
> (and subsequent resending of credentials) is part of the HTTP specification,
> so it's not easy for you to "modify" per se.
>
> What you are seeing is documented here:
> [url]http://support.microsoft.com/?id=264921[/url]
> (scroll right down to the bottom and read the second bullet point under
> "notes")
>
> You used to be able to do something like use a client-side <meta
> http-equiv="refresh"> or javascript to redirect the user to:
> [url]http://user:nonvalidpassword@www.yoursite.com/somepage.aspx[/url]
> and the browser would then use: user and nonvalidpassword, overriding what
> it was using before. Because the password isn't valid, the user would be
> prompted to supply valid credentials. However, the most recent IE cumulative
> rollup patch means that IE no longer supports user credentials in the URI.
>
> The only way I can think of are:
> a) Use client-side ActiveX control here:
> [url]http://support.microsoft.com/?id=195192[/url]
>
> b) Use some client-side javascript to close the user's browser (and all
> other IE windows running in the current process) - though this becomes
> painful for the user since they need to reopen all the browser windows again
>
> c) Programatically send a 403 header to the client (Not Authorized) and
> force the browser to pop-up user credentials dialogue box. You'd need some
> way of making sure that after the initial 403 header, then next header is
> 200 if the user credentials are OK.
>
> Cheers
> Ken
>
> "Michael J. Mooney" <mike_mooney@_yahoo.com.NOSPAM> wrote in message
> news:O%23gUi2COEHA.624@TK2MSFTNGP11.phx.gbl...
> : Greetings,
> : If you set a ASP.NET site up with Windows NT Authentication, is it
> possible
> : to set a session timeout? Currently, it appears that the IIS session will
> : timeout after the specified period of time, but if the user keeps the
> : browser open, they are never prompted for their credentials again. We
> would
> : like the site to prompt the user for their windows credentials if their
> IIS
> : session times out over a certain period of time.
> :
> : Any ideas?
> :
> : Thanks,
> : Michael J. Mooney
> : MCP+SB, MCAD, MCSD
> :
> :
>
>

[Joseph E Shook [MVP - ADSI]]

I have a button on a few applications for changing user credentials in a
currently logged in web application secured with integrated security. I
included the code below. It works for changing user credentials but I
have not tested it for the kind of purpose Michael wants. You should be
able to hook this into the Aplication level events of the HTTP Pipeline
but off the top of my head I am not sure what I would do. The
Global_Authentication (Application_AuthenticateRequest in global.asax)
seems to be the place I would first go but at that point I don't believe
you have access to the session. But anyways maybe this will give you
some ideas.


private void Button1_Click(object sender, System.EventArgs e)
{
HttpCookie chandLogonCookie;
chandLogonCookie = Request.Cookies["ChangeLogin"];

try
{
if (chandLogonCookie.Value != "true")
{
chandLogonCookie = new HttpCookie("ChangeLogin", "true");
Response.Cookies.Add(chandLogonCookie);
}
else
{
//Ask IIS to authenticate the user if they are currently anonymous.
//This may allow a second request to succeed.
Response.StatusCode = 401;
Response.StatusDescription = "Unauthorized";
Response.Write("<h2>You are not authorized to view this page</h2>");
Response.Cookies["ChangeLogin"].Value = "false";
}
}
catch
{
chandLogonCookie = new HttpCookie("ChangeLogin", "false");
Response.Cookies.Add(chandLogonCookie);
//Ask IIS to authenticate the user if they are currently anonymous.
//This may allow a second request to succeed.
Response.StatusCode = 401;
Response.StatusDescription = "Unauthorized";
Response.Write("<h2>Unauthorized...</h2>");
}
}




Ken Schaefer wrote:

> AFAIK there are no easy ways to do this anymore. The authentication process
> (and subsequent resending of credentials) is part of the HTTP specification,
> so it's not easy for you to "modify" per se.
>
> What you are seeing is documented here:
> [url]http://support.microsoft.com/?id=264921[/url]
> (scroll right down to the bottom and read the second bullet point under
> "notes")
>
> You used to be able to do something like use a client-side <meta
> http-equiv="refresh"> or javascript to redirect the user to:
> [url]http://user:nonvalidpassword@www.yoursite.com/somepage.aspx[/url]
> and the browser would then use: user and nonvalidpassword, overriding what
> it was using before. Because the password isn't valid, the user would be
> prompted to supply valid credentials. However, the most recent IE cumulative
> rollup patch means that IE no longer supports user credentials in the URI.
>
> The only way I can think of are:
> a) Use client-side ActiveX control here:
> [url]http://support.microsoft.com/?id=195192[/url]
>
> b) Use some client-side javascript to close the user's browser (and all
> other IE windows running in the current process) - though this becomes
> painful for the user since they need to reopen all the browser windows again
>
> c) Programatically send a 403 header to the client (Not Authorized) and
> force the browser to pop-up user credentials dialogue box. You'd need some
> way of making sure that after the initial 403 header, then next header is
> 200 if the user credentials are OK.
>
> Cheers
> Ken
>
> "Michael J. Mooney" <mike_mooney@_yahoo.com.NOSPAM> wrote in message
> news:O%23gUi2COEHA.624@TK2MSFTNGP11.phx.gbl...
> : Greetings,
> : If you set a ASP.NET site up with Windows NT Authentication, is it
> possible
> : to set a session timeout? Currently, it appears that the IIS session will
> : timeout after the specified period of time, but if the user keeps the
> : browser open, they are never prompted for their credentials again. We
> would
> : like the site to prompt the user for their windows credentials if their
> IIS
> : session times out over a certain period of time.
> :
> : Any ideas?
> :
> : Thanks,
> : Michael J. Mooney
> : MCP+SB, MCAD, MCSD
> :
> :
>
>