Personal computing discussed

Moderators: renee, Flying Fox, Ryu Connor

 
malebolgia
Gerbil Elite
Topic Author
Posts: 973
Joined: Fri Apr 05, 2002 7:00 pm
Location: USA

Microsoft IIS - End User Sessions

Fri Oct 29, 2010 3:55 pm

Interesting problem, I have a small IIS server that uses Windows Authentication. Whenever the user visits the webpage they are prompted for a username & password over an SSL connection. All of that works just fine, however if the user opens the webpage in a tab and closes that tab they stay logged in. Meaning they don't get prompted again for the username & password!?

FYI if the user completely closes the browser, and then navigates to the page they are prompted for a username & password.

Does anyone know a way to end the session when a tab is closed, or at the very least some code that will end the session when executed (perhaps put this code in a logout page)?
 
Ryu Connor
Global Moderator
Posts: 4369
Joined: Thu Dec 27, 2001 7:00 pm
Location: Marietta, GA
Contact:

Re: Microsoft IIS - End User Sessions

Fri Oct 29, 2010 5:25 pm

As far as I know there isn't a way to adjust the behavior you're seeing through configuation of IIS settings. Really, Windows Authentication is more ideally suited for internal use only, it's meant to be a single sign on style solution within a domain. There might be a code solution to prompt your users to close their browser if you're really set on using Windows Auth in IIS.

I would suggest using Forms Authentication instead. That actually allows you to set when a cookie based authentication expires. That sounds like it would better fit your needs.
All of my written content here on TR does not represent or reflect the views of my employer or any reasonable human being. All content and actions are my own.
 
malebolgia
Gerbil Elite
Topic Author
Posts: 973
Joined: Fri Apr 05, 2002 7:00 pm
Location: USA

Re: Microsoft IIS - End User Sessions

Mon Nov 01, 2010 8:45 am

I want to say that Forms Authentication can work the same (user names & passwords). However, it has to tie into active directory. Do you know if that's true, and if it's possible to get Forms Authentication to work without AD?
 
Ryu Connor
Global Moderator
Posts: 4369
Joined: Thu Dec 27, 2001 7:00 pm
Location: Marietta, GA
Contact:

Re: Microsoft IIS - End User Sessions

Mon Nov 01, 2010 9:47 am

Forms can work without AD.

http://msdn.microsoft.com/en-us/library/ff647070.aspx

Membership and Login Controls
ASP.NET 2.0 introduces a membership feature and set of login Web server controls that simplify the implementation of applications that use forms authentication.

Membership provides credential storage and management for application users. It also provides a membership API that simplifies the task of validating user credentials when used with forms authentication. The membership feature is built on top of a provider model. This model allows implementing and configuring different providers pointing to different user stores. ASP.NET 2.0 includes the following membership providers:

•Active Directory membership provider. This provider uses either an Active Directory or Active Directory Application Mode (ADAM) user store.
•SQL Server membership provider. This provider uses a SQL Server user store.
You can also add support for custom user stores. For example, you can add support for other Lightweight Directory Access Protocol (LDAP) directories or other existing corporate identity stores. To do so, create a custom provider that inherits from the MembershipProvider abstract base class.

ASP.NET login controls automatically use membership and forms authentication and encapsulate the logic required to prompt users for credentials, validate users, recover or replace passwords, and so on. In effect, the ASP.NET login controls provide a layer of abstraction over forms authentication and membership, and they replace most, or all of, the work you would normally have to do to use forms authentication.

For more information about using the membership feature and login controls, see How To: Use Membership in ASP.NET 2.0.
All of my written content here on TR does not represent or reflect the views of my employer or any reasonable human being. All content and actions are my own.
 
malebolgia
Gerbil Elite
Topic Author
Posts: 973
Joined: Fri Apr 05, 2002 7:00 pm
Location: USA

Re: Microsoft IIS - End User Sessions

Mon Nov 01, 2010 11:04 am

Interesting thanks!
 
ericpeacock79
Gerbil In Training
Posts: 5
Joined: Sat Nov 20, 2010 11:12 am

Re: Microsoft IIS - End User Sessions

Sat Nov 20, 2010 8:37 pm

when opening link in new tab, the web-server doesn't recognize that as a new, separate connection, since the original connection (authentication session) isn't closed.
 
malebolgia
Gerbil Elite
Topic Author
Posts: 973
Joined: Fri Apr 05, 2002 7:00 pm
Location: USA

Re: Microsoft IIS - End User Sessions

Sun Nov 21, 2010 8:12 pm

ericpeacock79 wrote:
when opening link in new tab, the web-server doesn't recognize that as a new, separate connection, since the original connection (authentication session) isn't closed.

No, it does not. I suspect this is because I'm using Windows Auth.
 
just brew it!
Administrator
Posts: 54500
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Microsoft IIS - End User Sessions

Sun Nov 21, 2010 9:53 pm

malebolgia wrote:
ericpeacock79 wrote:
when opening link in new tab, the web-server doesn't recognize that as a new, separate connection, since the original connection (authentication session) isn't closed.

No, it does not. I suspect this is because I'm using Windows Auth.

Actually, I don't think this behavior is specific to Windows Auth. IIRC it behaves that way with Apache's built-in "basic" authorization mechanism as well.
Nostalgia isn't what it used to be.

Who is online

Users browsing this forum: No registered users and 1 guest
GZIP: On