Hi all,
I am using some ASP.Net (web forms) code in order to force auth & auth over some content. Except for the auth code, all other content is non-aspx, i.e. html, png, etc.
My application is using a centralized authentication service, which means if a user authenticates against that service, he/she has access to all apps that use that authentication token.
I can force all requests to be authenticated against that service using forms authentication, no problem.
Now I want to authorize every request against an Active Directory group (i.e. allow access if in group, deny otherwise).
The problem is this: If a user is already authenticated, subsequent requests to an HTML page in the site will not send the user to my aspx code because forms auth says 'hey this person is already authenticated, let him/her through'.
Is there a way I can force all requests to go through an authorization check first?
[Update: Here's why this is a problem. I set an AD group to have access. Users go through. I change AD group, but auth cookie hasn't expired so users who have the cookie but are no longer authorized still go through. Sure I can set a timeout of 1 min and repeatedly authenticate (happens in background so users don't have to type in password repeatedly), but I am looking for a more elegant solution.]