Radu Negrila
Radu Negrila

Reputation: 667

Windows Authentication Timeout

How can you suspend access to a user session after a specified interval of inactivity when using Windows Integrated Security for an ASP.NET MVC Website?

Upvotes: 2

Views: 734

Answers (1)

Radu Negrila
Radu Negrila

Reputation: 667

When using Kerberos for authentication Internet Explorer (IE) will continue sending the same credentials for each subsequent request to the server until one of two things happens:

   a) The user closes their browser.
   b) The server refuses the credentials with a 401 status code.

This behavior is KB 264921.

If we want to simulate a session than we have to implement the following steps:

  1. Create a sliding expiration cookie for the duration of the session.
  2. Check for that cookie for every request: begin_request or global filters. If the cookie is missing return a 401 status code for that specific request.
  3. Next request will trigger the authentication prompt.

I was hoping someone else having a better ideea, this one feels kind of hacky.

Upvotes: 1

Related Questions