|
|
You're in the
iis security
group:Force Relogin. IIS6, ASP.NET app, IE6+ browser
iis security:
already authenticated user (Using Integrated Windows Authentication) to login again for my web site. I want them to be able to "logoff" for security reasons and not have to close their browser. That way if someone sits at their workstation and tries to link again to the site in question it will prompt with the windows dialog again. Currently, if I try to "login" again in the same browser it appears to already know who I am (a believe some cookie or token is being held onto) and doesn't prompt me to login again. Any ideas anyone? -- Thanks,
I continue to research this and have hypothesized that what I'd really like
to happen is to have IIS issue a NEW session id to the client once Session.Abandon is specified in my ASP.NET application. What appears to happen by default is that the Session ID remains the same after the abandon, but on the next connection IsNewSession is true. My hope is that when IIS sees a different SessionID it will again prompt for the user with a windows login dialog. Anyone got any feedback on this "guess"? Again, Otis -- Thanks, Otis [quoted text, click to view] "Otis" wrote:
> I'm trying to determine if it is possible to programmatically force an > already authenticated user (Using Integrated Windows Authentication) to login > again for my web site. I want them to be able to "logoff" for security > reasons and not have to close their browser. That way if someone sits at > their workstation and tries to link again to the site in question it will > prompt with the windows dialog again. Currently, if I try to "login" again > in the same browser it appears to already know who I am (a believe some > cookie or token is being held onto) and doesn't prompt me to login again. > Any ideas anyone? > -- > Thanks,
Actually, what you want to do is impossible with your current
constraints. You will have to write a custom authentication protocol to get the behavior you want. And let's just leave your hypothesis alone - there are no cookies/tokens involved; IIS has no idea what a session is; IIS does not prompt with a login dialog. The problem you face is that a browser will automatically attempt Integrated Authentication using the currently logged in Windows user credentials to login to a website which is in a Zone configured for auto login. And the server cannot do anything about it because logins (and auto-login) is a client-side optimization. If you can control the browsers to not auto-login to your website, and you can make your Web Application CLOSE the connection to logoff, then you can get the behavior you want with Integrated Authentication (NTLM). Integrated Authentication (Kerberos) is something different. //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang // [quoted text, click to view] Otis wrote:
> I continue to research this and have hypothesized that what I'd really like > to happen is to have IIS issue a NEW session id to the client once > Session.Abandon is specified in my ASP.NET application. What appears to > happen by default is that the Session ID remains the same after the abandon, > but on the next connection IsNewSession is true. My hope is that when IIS > sees a different SessionID it will again prompt for the user with a windows > login dialog. Anyone got any feedback on this "guess"? > > Again, > Otis > > -- > Thanks, > Otis > > > "Otis" wrote: > > > I'm trying to determine if it is possible to programmatically force an > > already authenticated user (Using Integrated Windows Authentication) to login > > again for my web site. I want them to be able to "logoff" for security > > reasons and not have to close their browser. That way if someone sits at > > their workstation and tries to link again to the site in question it will > > prompt with the windows dialog again. Currently, if I try to "login" again > > in the same browser it appears to already know who I am (a believe some > > cookie or token is being held onto) and doesn't prompt me to login again. > > Any ideas anyone? > > -- > > Thanks, > > Otis
David,
Thanks for the reply. I was heading down the wrong path trying to reset the SessionID with Response.Cookies.Add(New HttpCookie("ASP.NET_SessionId", "")) and though that did force a new sessionid... it invalidated my hypothesis (as I believe you were hinting at by not addressing it). So, now it appears you are suggesting I either write a custom authentication protocol ( I might be up for that) or I make the browsers not auto-login ( I can specify that) while also having the Web Application CLOSE the connection. 1) Could you suggest a web site or book with examples on writing the custom authentication protocol please? 2) How does one CLOSE the connection programmatically from the Web Application? Thanks in advance for your reply! -- Thanks, Otis [quoted text, click to view] "David Wang" wrote:
> Actually, what you want to do is impossible with your current > constraints. You will have to write a custom authentication protocol to > get the behavior you want. > > And let's just leave your hypothesis alone - there are no > cookies/tokens involved; IIS has no idea what a session is; IIS does > not prompt with a login dialog. > > The problem you face is that a browser will automatically attempt > Integrated Authentication using the currently logged in Windows user > credentials to login to a website which is in a Zone configured for > auto login. And the server cannot do anything about it because logins > (and auto-login) is a client-side optimization. > > If you can control the browsers to not auto-login to your website, and > you can make your Web Application CLOSE the connection to logoff, then > you can get the behavior you want with Integrated Authentication > (NTLM). Integrated Authentication (Kerberos) is something different. > > > //David > http://w3-4u.blogspot.com > http://blogs.msdn.com/David.Wang > // > > > Otis wrote: > > I continue to research this and have hypothesized that what I'd really like > > to happen is to have IIS issue a NEW session id to the client once > > Session.Abandon is specified in my ASP.NET application. What appears to > > happen by default is that the Session ID remains the same after the abandon, > > but on the next connection IsNewSession is true. My hope is that when IIS > > sees a different SessionID it will again prompt for the user with a windows > > login dialog. Anyone got any feedback on this "guess"? > > > > Again, > > Otis > > > > -- > > Thanks, > > Otis > > > > > > "Otis" wrote: > > > > > I'm trying to determine if it is possible to programmatically force an > > > already authenticated user (Using Integrated Windows Authentication) to login > > > again for my web site. I want them to be able to "logoff" for security > > > reasons and not have to close their browser. That way if someone sits at > > > their workstation and tries to link again to the site in question it will > > > prompt with the windows dialog again. Currently, if I try to "login" again > > > in the same browser it appears to already know who I am (a believe some > > > cookie or token is being held onto) and doesn't prompt me to login again. > > > Any ideas anyone? > > > -- > > > Thanks, > > > Otis >
Unfortunately, I am bad at giving advice for websites or books for this
stuff because I don't use them (I'd just go build it myself with just an API reference). I would not mind perusing/evaluating any website/books that you come across. Hmm, maybe I can get motivated with enough time to go blog about this topic as well. //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang // [quoted text, click to view] Otis wrote:
> David, > Thanks for the reply. I was heading down the wrong path trying to reset the > SessionID with Response.Cookies.Add(New HttpCookie("ASP.NET_SessionId", "")) > and though that did force a new sessionid... it invalidated my hypothesis (as > I believe you were hinting at by not addressing it). > So, now it appears you are suggesting I either write a custom authentication > protocol ( I might be up for that) or I make the browsers not auto-login ( I > can specify that) while also having the Web Application CLOSE the connection. > > 1) Could you suggest a web site or book with examples on writing the custom > authentication protocol please? > 2) How does one CLOSE the connection programmatically from the Web > Application? > Thanks in advance for your reply! > -- > Thanks, > Otis > > > "David Wang" wrote: > > > Actually, what you want to do is impossible with your current > > constraints. You will have to write a custom authentication protocol to > > get the behavior you want. > > > > And let's just leave your hypothesis alone - there are no > > cookies/tokens involved; IIS has no idea what a session is; IIS does > > not prompt with a login dialog. > > > > The problem you face is that a browser will automatically attempt > > Integrated Authentication using the currently logged in Windows user > > credentials to login to a website which is in a Zone configured for > > auto login. And the server cannot do anything about it because logins > > (and auto-login) is a client-side optimization. > > > > If you can control the browsers to not auto-login to your website, and > > you can make your Web Application CLOSE the connection to logoff, then > > you can get the behavior you want with Integrated Authentication > > (NTLM). Integrated Authentication (Kerberos) is something different. > > > > > > //David > > http://w3-4u.blogspot.com > > http://blogs.msdn.com/David.Wang > > // > > > > > > Otis wrote: > > > I continue to research this and have hypothesized that what I'd really like > > > to happen is to have IIS issue a NEW session id to the client once > > > Session.Abandon is specified in my ASP.NET application. What appears to > > > happen by default is that the Session ID remains the same after the abandon, > > > but on the next connection IsNewSession is true. My hope is that when IIS > > > sees a different SessionID it will again prompt for the user with a windows > > > login dialog. Anyone got any feedback on this "guess"? > > > > > > Again, > > > Otis > > > > > > -- > > > Thanks, > > > Otis > > > > > > > > > "Otis" wrote: > > > > > > > I'm trying to determine if it is possible to programmatically force an > > > > already authenticated user (Using Integrated Windows Authentication) to login > > > > again for my web site. I want them to be able to "logoff" for security > > > > reasons and not have to close their browser. That way if someone sits at > > > > their workstation and tries to link again to the site in question it will > > > > prompt with the windows dialog again. Currently, if I try to "login" again > > > > in the same browser it appears to already know who I am (a believe some > > > > cookie or token is being held onto) and doesn't prompt me to login again. > > > > Any ideas anyone? > > > > -- > > > > Thanks, > > > > Otis > > > >
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |