require credentials on revisting page

Discussion in 'ASP.NET 2.0' started by conrads, Jul 29, 2015.

  1. Hi all,

    I password protected a folder for staff access. There's a page in the folder. When you first access the page, the prompt for username and password input displays. After credentials are entered correctly, you get access to the page. However, when you leave and type the URL in the location bar, you go right to the page without needing to enter username and password. I thought that using sessionTimeout would require the user to enter username and password again, but it's not doing it. This is what I have in the web.config file.

    <configuration>
    <system.webServer>
    <security>
    <authorization>
    <add accessType="Deny" users="?" />
    </authorization>
    </security>
    </system.webServer>
    <system.web>
    <sessionState
    mode="InProc"
    cookieless="true"
    timeout="15"/>
    </system.web>
    </configuration>

    Thanks!
     
  2. mjp

    mjp

    That's by design. You have the timeout set to 15 minutes, so if an authorized user leaves but then hits the page again during that 15 minutes, they won't be prompted for login credentials.

    You can lower that timeout value, but bear in mind that the lower that timeout value the more resources you're going to use on the server, so if it's too low and you have a lot of users that could have a negative impact on the performance of your application.
     
  3. Thanks. That's the behavior I was expecting to happen, so that's good - my understanding of the code is correct.

    But in my case, I've waited for over half a day, and when I type in the URL, I can still get straight to the page without the prompt.

    The page just needs to be not publicly accessible. It's meant for staff to look at (it's a page of reference docs), and so there will only be a single username and password for staff to use. Does that affect this situation any differently? Thanks.
     

Share This Page