Microsoft IIS - End User Sessions

Monopoly money comes in many flavors: 7, Vista, XP, 2K, ME, 98, etc.

Moderators: Flying Fox, Ryu Connor

Microsoft IIS - End User Sessions

Postposted on Fri Oct 29, 2010 2:55 pm

Interesting problem, I have a small IIS server that uses Windows Authentication. Whenever the user visits the webpage they are prompted for a username & password over an SSL connection. All of that works just fine, however if the user opens the webpage in a tab and closes that tab they stay logged in. Meaning they don't get prompted again for the username & password!?

FYI if the user completely closes the browser, and then navigates to the page they are prompted for a username & password.

Does anyone know a way to end the session when a tab is closed, or at the very least some code that will end the session when executed (perhaps put this code in a logout page)?
malebolgia
Gerbil Elite
 
Posts: 973
Joined: Fri Apr 05, 2002 6:00 pm
Location: New Mexico, USA

Re: Microsoft IIS - End User Sessions

Postposted on Fri Oct 29, 2010 4:25 pm

As far as I know there isn't a way to adjust the behavior you're seeing through configuation of IIS settings. Really, Windows Authentication is more ideally suited for internal use only, it's meant to be a single sign on style solution within a domain. There might be a code solution to prompt your users to close their browser if you're really set on using Windows Auth in IIS.

I would suggest using Forms Authentication instead. That actually allows you to set when a cookie based authentication expires. That sounds like it would better fit your needs.
"Welcome back my friends to the show that never ends. We're so glad you could attend. Come inside! Come inside!"
Ryu Connor
Global Moderator
Gold subscriber
 
 
Posts: 3450
Joined: Thu Dec 27, 2001 6:00 pm
Location: Marietta, GA

Re: Microsoft IIS - End User Sessions

Postposted on Mon Nov 01, 2010 7:45 am

I want to say that Forms Authentication can work the same (user names & passwords). However, it has to tie into active directory. Do you know if that's true, and if it's possible to get Forms Authentication to work without AD?
malebolgia
Gerbil Elite
 
Posts: 973
Joined: Fri Apr 05, 2002 6:00 pm
Location: New Mexico, USA

Re: Microsoft IIS - End User Sessions

Postposted on Mon Nov 01, 2010 8:47 am

Forms can work without AD.

http://msdn.microsoft.com/en-us/library/ff647070.aspx

Membership and Login Controls
ASP.NET 2.0 introduces a membership feature and set of login Web server controls that simplify the implementation of applications that use forms authentication.

Membership provides credential storage and management for application users. It also provides a membership API that simplifies the task of validating user credentials when used with forms authentication. The membership feature is built on top of a provider model. This model allows implementing and configuring different providers pointing to different user stores. ASP.NET 2.0 includes the following membership providers:

•Active Directory membership provider. This provider uses either an Active Directory or Active Directory Application Mode (ADAM) user store.
•SQL Server membership provider. This provider uses a SQL Server user store.
You can also add support for custom user stores. For example, you can add support for other Lightweight Directory Access Protocol (LDAP) directories or other existing corporate identity stores. To do so, create a custom provider that inherits from the MembershipProvider abstract base class.

ASP.NET login controls automatically use membership and forms authentication and encapsulate the logic required to prompt users for credentials, validate users, recover or replace passwords, and so on. In effect, the ASP.NET login controls provide a layer of abstraction over forms authentication and membership, and they replace most, or all of, the work you would normally have to do to use forms authentication.

For more information about using the membership feature and login controls, see How To: Use Membership in ASP.NET 2.0.
"Welcome back my friends to the show that never ends. We're so glad you could attend. Come inside! Come inside!"
Ryu Connor
Global Moderator
Gold subscriber
 
 
Posts: 3450
Joined: Thu Dec 27, 2001 6:00 pm
Location: Marietta, GA

Re: Microsoft IIS - End User Sessions

Postposted on Mon Nov 01, 2010 10:04 am

Interesting thanks!
malebolgia
Gerbil Elite
 
Posts: 973
Joined: Fri Apr 05, 2002 6:00 pm
Location: New Mexico, USA

Re: Microsoft IIS - End User Sessions

Postposted on Sat Nov 20, 2010 7:37 pm

when opening link in new tab, the web-server doesn't recognize that as a new, separate connection, since the original connection (authentication session) isn't closed.
ericpeacock79
Gerbil In Training
 
Posts: 5
Joined: Sat Nov 20, 2010 10:12 am

Re: Microsoft IIS - End User Sessions

Postposted on Sun Nov 21, 2010 7:12 pm

ericpeacock79 wrote:when opening link in new tab, the web-server doesn't recognize that as a new, separate connection, since the original connection (authentication session) isn't closed.

No, it does not. I suspect this is because I'm using Windows Auth.
malebolgia
Gerbil Elite
 
Posts: 973
Joined: Fri Apr 05, 2002 6:00 pm
Location: New Mexico, USA

Re: Microsoft IIS - End User Sessions

Postposted on Sun Nov 21, 2010 8:53 pm

malebolgia wrote:
ericpeacock79 wrote:when opening link in new tab, the web-server doesn't recognize that as a new, separate connection, since the original connection (authentication session) isn't closed.

No, it does not. I suspect this is because I'm using Windows Auth.

Actually, I don't think this behavior is specific to Windows Auth. IIRC it behaves that way with Apache's built-in "basic" authorization mechanism as well.
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 36917
Joined: Tue Aug 20, 2002 9:51 pm
Location: Somewhere, having a beer


Return to Windows

Who is online

Users browsing this forum: No registered users and 7 guests