kecoak
asked on
C# (ASP.NET) Windows Authentication?
this is for ASP.NET (C#)
1) If we use Windows Authentication, I am assuming that we could use NLTM to do the Windows Authentication. Does this mean for every request to the web server, they need to do the challenge response? +-5 more handshake request? Because If I am not wrong, theoretically speaking we need to input the username/password for every request to the server but luckily I.E does this for us automatically in the background.
2) With Windows Authentication, do we still need session cookies? How are we going to implement session timeout apart from using cookies? Is there a way to implement session timeout without the cookies?
1) If we use Windows Authentication, I am assuming that we could use NLTM to do the Windows Authentication. Does this mean for every request to the web server, they need to do the challenge response? +-5 more handshake request? Because If I am not wrong, theoretically speaking we need to input the username/password for every request to the server but luckily I.E does this for us automatically in the background.
2) With Windows Authentication, do we still need session cookies? How are we going to implement session timeout apart from using cookies? Is there a way to implement session timeout without the cookies?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I'm not sure on the technicalites of Integrated Windows authentication, I can say that on a slow network there is no percevable slowdown when using Integrated auth over anonymous access.
You talk of Authentication time out, from what I'm aware of there is no such thing as Authrntication timeout. your integrated auth credentials are vaild so long as you have an active logon session.
The point is we can have session time out which is to be dealt with seperately to authentication. I'm sure if you had the time and money you could impliment an AD based session provider that did away with the inProc session store and could probably use the logged on id as a key.
you don't have mixed auth. You have Integrated auth with cookie based session state managment.
You talk of Authentication time out, from what I'm aware of there is no such thing as Authrntication timeout. your integrated auth credentials are vaild so long as you have an active logon session.
The point is we can have session time out which is to be dealt with seperately to authentication. I'm sure if you had the time and money you could impliment an AD based session provider that did away with the inProc session store and could probably use the logged on id as a key.
you don't have mixed auth. You have Integrated auth with cookie based session state managment.
ASKER
2) Well the idea of Windows Authentication is to have Single Sign On and centralised user access database. By doing this, we could also save the hassle of using session "COOKIES" but then if we don't use SESSION COOKIES, how are we going implement Authentication TIMEOUT?
On the other hand, if we use cookies to implement Authentication Timeout, it means that we rely on the cookies as part of our authorisation/authenticati
What is your thought around this?