this is for ASP.NET (C#)
1) If we use Windows Authentication, I am assuming that we could use NLTM to do the Windows Authentication. Does this mean for every request to the web server, they need to do the challenge response? +-5 more handshake request? Because If I am not wrong, theoretically speaking we need to input the username/password for every request to the server but luckily I.E does this for us automatically in the background.
2) With Windows Authentication, do we still need session cookies? How are we going to implement session timeout apart from using cookies? Is there a way to implement session timeout without the cookies?