C# (ASP.NET) Windows Authentication?

this is for ASP.NET (C#)

1) If we use Windows Authentication, I am assuming that we could use NLTM to do the Windows Authentication. Does this mean for every request to the web server, they need to do the challenge response? +-5 more handshake request? Because If I am not wrong, theoretically speaking we need to input the username/password for every request to the server but luckily I.E does this for us automatically in the background.

2) With Windows Authentication, do we still need session cookies? How are we going to implement session timeout apart from using cookies? Is there a way to implement session timeout without the cookies?
Who is Participating?
S31B1Connect With a Mentor Commented:
1) all browsers modern browsers are capable of using Windows Auth to connect to pages. If you require this sort of security it is the only solution. It will use Negotiation to decide on NTLM or Kerberos. What is your concern? Is it that the authentication overhead will be too much?

2)Session cookies are required as these form the index of the session state. as far as I know without implimenting custom session providers the only way to utilise session state without cookies is to use the inbuilt "cookieless" functionality however that messes about with your urls and is far from ideal.
kecoakAuthor Commented:
1) I just wanted that my understanding is correct. Is that really the case? for every HTTP request to the server, the client needs to do 4-5 handshake before they getting the response back?

2) Well the idea of Windows Authentication is to have Single Sign On and centralised user access database. By doing this, we could also save the hassle of using session "COOKIES" but then if we don't use SESSION COOKIES, how are we going implement Authentication TIMEOUT?

On the other hand, if we use cookies to implement Authentication Timeout, it means that we rely on the cookies as part of our authorisation/authentication. Isn't going to be a mixed authentication of Windows Authentication and Form based Authentication?

What is your thought around this?
I'm not sure on the technicalites of Integrated Windows authentication, I can say that on a slow network there is no percevable slowdown when using Integrated auth over anonymous access.

You talk of Authentication time out, from what I'm aware of there is no such thing as Authrntication timeout. your integrated auth credentials are vaild so long as you have an active logon session.

The point is we can have session time out which is to be dealt with seperately to authentication. I'm sure if you had the time and money you could impliment an AD based session provider that did away with the inProc session store and could probably use the logged on id as a key.

you don't have mixed auth. You have Integrated auth with cookie based session state managment.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.