Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / ASP.NET / Security / October 2007

Tip: Looking for answers? Try searching our database.

Integrated Windows Authentication and Session Timeout.

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Sulaiman - 19 Oct 2007 02:29 GMT
The main idea of IWA is to have a single sign on capabilities web site and I
think it is good if you have a web that cater internal people.
A few questions coming out from this implementation
1) How does the C# Windows Authentication work? Does the NTLM handshake only
happen in the first request? or for every request that get sent to the
server, it performs NTLM handshake?

If the NLTM handshake only happens in the first request, how does the server
maintain the client state? is it through cookie?

2) In a form based implementation, it is very easy to implement session
timeout. We initially assigned the user a authentication cookie and just set
the authentication cookie to expire to say 20 minutes. If it is expired, then
just redirect to the login page. However in the Windows Authentication
environment, how you implement session timeout? because as long as the user
still log in to the Machine, it should never be timeout? What do you guys  
think about this?
Reply to this Message
Sulaiman - 19 Oct 2007 02:56 GMT
Sorry, maybe I should post with the right terms... I need to differentiate
between authentication and session state... I made some changes below

> If the NLTM handshake only happens in the first request, how does the server
> maintain the client state? is it through cookie?

How does the server maintain the authentication state? Is it through cookie?
Reply to this Message
Dominick Baier - 24 Oct 2007 14:35 GMT
The NTLM credentials are sent on every request, but IIS and the LSA do some
clever caching so they don't have to do a roundtrip to the registry/a DC
every time.

-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

> Sorry, maybe I should post with the right terms... I need to
> differentiate between authentication and session state... I made some
[quoted text clipped - 5 lines]
> How does the server maintain the authentication state? Is it through
> cookie?
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.