2

I have a website which is accessed via Windows Authentication and Active Directory and currently it seems to have much longer timeouts than I set. I am trying to create this to be shorter to help make the website more secure.

A lot of people seem to have the opposite problem, where they are trying to set long timeouts (1 hour or more) and it times out in about 20 minutes instead. I have tried applying the settings mentioned in these solutions, but can't get a timeout to happen.

I've searched this site and read a bunch of the Microsoft documentation and possibly my answer is hidden by the more commonly asked opposite of this question. It seems like in answers posted to this site at least, people would expect that the settings I have tried would achieve the result I'm looking for (particularly the Session State variable). Example: Asp.Net (MVC): Which session timeout is what?

My minimum solution required to replicate the problem is:

  1. Create a new site in IIS 7.5 (I have used the default IIS website found in C:\inetpub\wwwroot and https binding to a random port number with a new locally generated certificate to try and isolate the problem)
  2. In "IIS->Authentication", enable Windows Authentication disabling all other authentication options
  3. Add an "IIS->Authorization Rules" setting to only allow a specific user different to my windows user id (I'm actually using an AD group but I think this helps simplify the problem to just use a username)
  4. In "IIS->Configuration Editor", set system.web/authentication/forms/timeout to 00:01:00.
  5. In "ASP.NET->Session State", set Cookie Settings->Time-out (in minutes): to 1
  6. In the Application Pool, select Advanced Settings and set "Process Model->Idle Time-out (minutes) to 0

Once all this is done, if you browse to the website, it will ask you for your Windows log-in, and when you provide it the page will load correctly, but if you wait even 10 minutes, you can still just refresh the page, but if you close the browser it requires you to log in again as I would expect. I am expecting that after 1 minute, the user should be required to authenticate to view the page again.

Is there some blatantly obvious setting that I am missing somewhere? Am I able to achieve what I'm expecting based purely on these Windows Authentication settings? I might be misunderstanding what these settings are doing?

P.S. Sorry, I took a screenshot for each step and had more examples of places I have looked for answers but I'm unfortunately only able to post two links in the post.

Community
  • 1
  • 1
Calvin N
  • 31
  • 3
  • Rather than doing this i would suggest to set auth token(you can generate it manually or via some tool) whenever user loads the page for the first time. Make cookie expiration time to 1 minute. Now, whenever you make request check for the auth token in cookie is available or not. That's it. Hope that works for you! – Dirty Developer Dec 30 '16 at 02:13
  • Also, i would suggest to check different authentication settings for windows mode.as well as config settings – Dirty Developer Dec 30 '16 at 02:14

0 Answers0