[thelist] Expiring NT Auth Sessions

Ken Schaefer ken.schaefer at gmail.com
Thu Sep 2 02:12:35 CDT 2004


ASP Sessions have nothing to do with HTTP based authentication mechanisms. 

Once a user has authenticated using a HTTP based authentication
mechanism (eg Basic, NTLM, Digest), the browser continues sending
those credentials for all subsequent requests until either (a) the
browser is closed -or- (b) the browser encounters another 401 error
(which then causes the browser to pop-up another dialogue box). I am
surprised that you are able to get the login dialogue box again simple
by waiting for the ASP session to expire. You see, the browser has no
idea when a session is supposed to expire.

The only possibility that I can think of is that you have some 3rd
party add on installed on your server that somehow sends back 401
errors when a browser returns an ASP session id cookie that has


On Wed, 1 Sep 2004 15:32:51 -0500, Ken Kogler <gsls at kenkogler.com> wrote:
> List,
> I've got an interesting problem. Win2k server, IIS5, VBscript.
> I've got a page on my site which is secured by the NTFS permissions on the
> server itself. When a visitor to our website encounters the page, they get a
> prompt for a username/password, which is all handled by Win2k. I haven't
> written any kind of authentication routine for this, I'm relying on the NTFS
> perms. So far, this has worked great.
> The trouble comes when a user wants to log out and log back in as someone
> else. Right now, when the user tries this, their user/pass is apparently
> cached and they're taken back to the protected page as the first user. They
> never get the login prompt again to change credentials.
> If the user waits the specified amount of time for their session to expire
> (currently set to 20 minutes on my server), then the next time they visit
> the login page, they get the prompt.
> I can't for the life of me figure out how to code a logOUT page that will
> end their session and reset the cached NTFS username/password. I've tried <%
> session.end %> and <% session.contents.removeAll %> but no luck. Any
> thoughts?

More information about the thelist mailing list