forcing logout after non-anonymous integrated windows authentication
Posted on 2008-10-16
I have a non-anonymous integrated windows login scenario for an IIS 6 based website (development environment: Visual Studio 2005 / and server with asp.net 2.0) whereby the user authenticates using an integrated windows authentication. That is, when first hitting the URL on the website, the user is presented with a standard windows login screen, and they enter their credentials they normally would log into Windows with. Their login is enabled throughout their session until their browser is closed.
I need to add some security so that if the worker leaves their machine, then after a certain amount of time, their screen will go to a safe screen, and they'll be required to log in again. In all my readings on this, the uniform recommendation seems to be that you have to close the browser, which is fine with me. I also saw a reference to clearing the user.identity token, but i can't figure out how to do this in Visual Studio. User.identity.IsAuthenticated is read-only. Rats.
Question: how can I either:
1. time-out the page, nullify the authentication state, and redirect it to a safe, non-authentication page that will require the user to click a link that references a secure page, and it presents the user with an integrated Windows login screen again.
or if this can't be done:
2. automatically close the browser after a certain amount of time that a page has been up.
Thanks kindly for any ideas.