I'm NTLM (authenication="windows" in the web.config) with an asp.net mvc 2.0 site.
Right now once a user logs in it keeps them logged in for weeks at a time.
The use of the application is being opened up to users who share computers that use logged in service accounts.
I need the site to reprompt each user for their AD credentials each time in order to handle these users. (Activity on the site must be linked to a uniquely identified user.)
Thanks for any help that you can provide.
Trey Carroll
I would change the app to use Forms authentication instead. You can still validate the credentials against AD, but you'll be able to enforce the login requirements.
Can you make sure that they just use a browser that doesn't support NTLM automatically? For example when I go to our Sharepoint server I have to login with my domain credentials in Firefox.
A way to do this is to handle the Http Authentication process using the HTTP 401 challenge.
The principle is to refuse the credentials, even if they are valid to force all users (or somes depending on AD attributes/code parameters...) to retype their credentials.
You have to send HTTP 401 codes in the response to indicate to the browser that the credentials which have been sent are not accepted.
Depending on the browser configuration, you have to send 1 to 3 401 responses (you can use cookies to handle the counter) to force the browser to prompt the user, so count up to 3.
if (mycounter < 3)
{
Response.StatusCode = 401;
Response.End();
}