Search code examples
asp.netinternet-explorerssrs-2008windows-authentication

Internet Explorer does not prompt for windows authentication after session timeout

I have a problem with SSRS Report Manager web application(but again I see this more as a typical ASP.Net application issue as well).

This application is configured to use the Windows Authentication and users typically acess the application using Internet Explorer. The application also has the session timeout setup for 20 minutes.

The issue (which has be interpreted as Information security issue :( ) is that, if the user is idle on this application for more than 20 minutes, he can still come back and continue working with any problem. They said that it's not timing out at all as they do not get the Login prompt.

When I run the Fiddler, I observed that first request after 20 minutes, is in-fact 401 that means, server has declined the request. After that, I believe, Internet Explorer sents the cached credentials. Because of this the Login Prompt does not appear.

The questions I have is these 1. Is it true that the IE can send cached credentials after session is timed out? Any Microsoft Link/reference? 2. Is there any way we could force the login dialog to come after session timed out? (I removed from IE settings tab and advaced tab but no luck)

Solution

  • Their is a very good blog-post discussing a few different options, but the best one is to get your application to detect the session timeout and send a 401 response code.

    An alternative (and better) approach is to not use Windows Authentication, and to implement your own login interface. This is pretty straight-forward in ASP.NET.

    If you do not have control of your application, and it sounds like you don't, then there is not a lot you can do.

    However, that doesn't explain what you are trying to achieve by forcing the user to login manually, and re-login if their session expires. The only time that you would gain anything from forcing the user to log-in to your web-site manually is if you expected them to leave their computer unlocked - but then you already have a gaping security hole anyway. It's like winding up the windows in your car, but then leaving the doors unlocked and the key on the roof.