with integrated windows authentication and asp.net, the user changes password and is prompted to login again. why?

Question

I am working on an application that uses windows authentication. Within this application, we give the user the ability to change their password.

The user can change the password just fine. However, after they change their password, that is when things get weird.

Sometimes they can navigate through the application just fine. Other times, they click on a link and are immediately prompted to supply credentials. Occasionly they can click on a link but upon a second click they are prompted to supply credentials.

Does the browser keep a token to the original credentials and use this when they request the next page? If this is the case, why can i continue using the site sometimes? Can I change the password and then assign that token to the request?

Does anyone have suggestions?

Answer 1

It's a caching issue. If the user connects to an ASP.NET app using Windows auth, the connection will linger for a while for performance reasons (you really don't want to do a complete re-auth on every page request!) - even then the password change has to travel from the PC, to the domain controller and then to the ASP.NET server, so there is often a small delay. My recommendation would be to drop the browser and wait 30secs before reconnecting.