RabbieBurns Posted February 1, 2009 Report Posted February 1, 2009 I have a website created that requires users to login via their active directory account. It seems with IE they stay logged in until they close the browser It seems with IE they stay logged in until they close the browser . A lot of users log in from home, so Im looking for a way to force a logout the site after X mins. I have been dabbling with cookies, but am unsure if this is the right way to do it, as they are not logging in to the actual site per se (Although I would love to add a second level of security by having a login page on the actual site - but have no idea about that now) Is there a way in IIS to force the logout of an authenticated session after a certain amount of time?
powdarrmonkey Posted February 1, 2009 Report Posted February 1, 2009 If you're just doing authentication with a normal IIS protected directory, then no you can't time it out (the browser just keeps on presenting its credentials with every page request). You need to use a cookie-based authentication that you can control a bit more. I don't know if ASP has an equivalent to PHP's sessions system, but that would be your best bet. 1
SYNACK Posted February 1, 2009 Report Posted February 1, 2009 It is not to difficult to set up forms based authentication with ASP there is a nice write up on cookie based stuff here with code: ASP 101 - Articles Heres one that uses a DB: Simple ASP Authentication System there is a whole list of tutorials here: ASP User Authentication Tutorials - Tutorialized Once you get the hang of it the session based stuff in ASP is easy to use as it does most of the work for you. 1
RabbieBurns Posted February 1, 2009 Author Report Posted February 1, 2009 Thanks, Ill check those links out tomorrow and try to knock something together
RabbieBurns Posted February 2, 2009 Author Report Posted February 2, 2009 Heres one that uses a DB: Simple ASP Authentication System[/url] Once you get the hang of it the session based stuff in ASP is easy to use as it does most of the work for you. Used this one, piece of cake to setup, and I have created a logout button as it doesn't use cookies so I don't think I can auto time it out. Slightly off topic now, but can anyone post code I could use to somehow mangle the passwords stored in the database so they aren't plain-text?
SYNACK Posted February 2, 2009 Report Posted February 2, 2009 (edited) MD5 hashing although easily broken now via Google sounds like it would fit the bill as it is what is used in most situations: AspEncrypt.com - Encrypt Your Password Database with a One-way Hash http://webcheatsheet.com/asp/md5_encrypt_passwords.php?print=Y http://www.planet-source-code.com/vb/scripts/ShowCode.asp?txtCodeId=9367&lngWId=4 Edited February 2, 2009 by SYNACK
RabbieBurns Posted February 2, 2009 Author Report Posted February 2, 2009 thanks, ill check that out tomorrow. I also managed to add an auto time out to the stuff I did today by adding a session expire line to the .asa
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now