How to force timeouts in a Sharepoint intranet site when using Windows Authentication


Background:
Security for my sharepoint web site depends on windows authentication. Our workstations are members of the authenticating domain; our users log in to the domain when they access their workstation. The sharepoint web server is also a member of the same domain.
One reason I’m blogging this is because I hope to get any misunderstandings I have cleared up by good comments.
I was not able to find any setting – either in iis, web.config, any sharepoint site setting, etc that would force a timeout when you use windows authentication. I found posts recommending that people use forms authentication if they really wanted to enforce timeouts.

So, why would anybody want timeouts if they are already secured by windows authentication? I think it’s something like the distinction between security and security theater.
We had had a problem where our users put up a number of Microsoft office documents, and then each time they attempted to open a doc, they got a windows authentication challenge. Then after they eliminated those by putting the sharepoint site into their IE “local intranet sites” group, they never had to log in again. That made them feel uneasy – like the site was wide open to the world. (and they had also themselves specifically permitted a huge group of 10,000 users to access the site without realizing what they had done.) So I wanted to make the site “feel” more secure by issuing some challenges after a timeout period.
Here’s how I did it, in C# script in my masterpage:
1) Modify Web.config on the server to allow server side scripting in your master page
Got to – C:InetpubwwwrootwssVirtualDirectories80web.config
Change the path to your master page to match your own site:
      <PageParserPaths>
      <PageParserPath VirtualPath=”/sites/OIT/_catalogs/masterpage/*” IncludeSubFolders=”true” CompilationMode=”Always” AllowServerSideScript=”true” />
      <PageParserPath VirtualPath=”/sites/Banner/_catalogs/masterpage/*” IncludeSubFolders=”true” CompilationMode=”Always” AllowServerSideScript=”true” />
      </PageParserPaths>

2) Copy the following c# code to maintain a session variable with the time of the last sign in. Basically, what it does is create a session variable to hold the last time you used  the web site, since the master page is executed for each page that you access. You set the timeout in the script. If your user leaves her desk for 33 minutes, for example, and then comes back and clicks on something, the master page will refresh, and the timeout code will see that the session should expire, and I send the user over to a page which forces her to login again.
<script language=”C#” runat=”server”>

    // ********************************************************************************
    // CONFIGS – not using web.config, using these lines
    // ********************************************************************************
    Boolean bDebugOn = false;  // control Response.Write
    Boolean bExecuteAspLoginScript = true;  // in my vstudio test project, I don’t have the page
    int TimeOutSeconds = 1800; //  30 minutes

    protected void Page_Load(object sender, EventArgs e)
    {
        Handle_CheckSessionForTimeout();
    }

    // ********************************************************************************
    // purpose – check the last time
    protected void Handle_CheckSessionForTimeout()
    {
        String strSession = System.Web.HttpContext.Current.Session["SignIn"] + “”;
        if (bDebugOn) Response.Write(“Session Value of SignIn Time:” + strSession);
        if (bDebugOn) Response.Write(“<br>Current Time:” + DateTime.Now.ToLongTimeString());

        if (strSession == “”)
        {
            System.Web.HttpContext.Current.Session["SignIn"] = DateTime.Now.ToLongTimeString();
            Force_A_New_SignIn(); // force login for new session
            return;
        }

        // check the time, if it’s too long, force a sign in
        try
        {
            DateTime tmSessionPlusTimeout = DateTime.Parse(strSession);
            tmSessionPlusTimeout = tmSessionPlusTimeout.AddSeconds(TimeOutSeconds);
            if (bDebugOn) Response.Write(“<br>Session plus TimeOutSeconds:” + tmSessionPlusTimeout.ToLongTimeString());
            DateTime tmNow = DateTime.Now;

            if (tmNow.CompareTo(tmSessionPlusTimeout) > 0)
            {
                if (bDebugOn) Response.Write(“<br>timeout expired ********************”);

                // set session variable so after a successful login they are permitted
                System.Web.HttpContext.Current.Session["SignIn"] = DateTime.Now.ToLongTimeString();
                Force_A_New_SignIn();
            }
            else
            {
                if (bDebugOn) Response.Write(“<br>timeout did not expire:” + tmSessionPlusTimeout.ToLongTimeString());
            }
        }
        catch (Exception ex)
        {
            if (bDebugOn) Response.Write(ex.Message);
            System.Web.HttpContext.Current.Session["SignIn"] = DateTime.Now.ToLongTimeString();
            Force_A_New_SignIn();
        }
    }
    // ********************************************************************************
    protected void Force_A_New_SignIn()
    {
        // THIS WORKED
        if (bDebugOn) Response.Write(“<br>Force_A_New_SignIn ************************************”);
        // set it so next time they get to come in
        System.Web.HttpContext.Current.Session["SignIn"] = DateTime.Now.ToLongTimeString();
        if (bExecuteAspLoginScript)
        {
                 Response.Redirect(“_layouts/AccessDenied.aspx?loginasanotheruser=false”);    
 }
        else
        {
            if (bDebugOn) Response.Write(“<br>TEST MODE – DON’T EXECUTE THE ASPX PAGE “);
        }
    }

</script>

I’ve just put this up, and it’s not getting used heavily. We’ll see how the process matures over the next weeks.

Points:

* I noticed that when I’ve evidently timed out, if I click on a link, such as “Document Library”, that after the login process is complete, I do not continue on to my desired page, but instead return to the default.aspx page. I’m not 100% sure what to do about that.

Comments

Post a Comment

Popular posts from this blog

ContextSwitchDeadlock was detected

Image
I have been writing an application that loads large amounts of data into the a database. The process of loading the data into the database goes through several steps requiring a considerable amount of time to complete. The long processing time is not a matter of concern from the application stand point. However, frequently the application throws a "ContextSwitchDeadlock was detected" message that says the following: Message: The CLR has been unable to transition from COM context 0x20450a0 to COM context 0x20452f0 for 60 seconds. The thread that owns the destination context/apartment is most likely either doing a non pumping wait or processing a very long running operation without pumping Windows messages. This situation generally has a negative performance impact and may even lead to the application becoming non responsive or memory usage accumulating continually over time. To avoid this problem, all single threaded apartment (STA) threads should use pumping wait primitives ...
Read more

Visual Studio setup and deployment projects

Image
This article describes the basics of Visual Studio setup and deployment projects. Subsequent articles will cover advanced topics, including more on custom actions, .NET installer classes, and how to build an upgrade for the product. Introduction Setup and deployment projects have always been a part of the Visual Studio.NET environment. Setup projects can be used to build various deployment packages, most notably Windows Installer setups packaged as MSI files. I’ll start with a basic setup that installs a C# Windows forms program and adds a shortcut to it. First, select  Setup Project , grouped under  Setup and Deployment  in the  Other Project Types  section. Choosing this will give you an empty project for adding your deployment units. With the project selected in Solution Explorer, the  View->Editor  choice gives you a selection that includes  File System  – this is where you add your files and shortcuts. Application Folder ...
Read more

Using SvcUtil.exe to generate the proxy class and config file

Run svcutil.exe specifying metadata address Open the visual studio command prompt or locate the svcutil.exe from the command prompt c:\programefiles\microsoft sdks\windows\v6.0A\bin> svcutil.exe "http://localhost/managecrm/managecrm.wsdl" /language:C# //use above if you want to generate the proxy in c# c:\programefiles\microsoft sdks\windows\v6.0A\bin> svcutil.exe "http://localhost/managecrm/managecrm.wsdl" /language:VB //Use above if you want to generate the proxy in VB To Get the helpwith svcuitl.exe use the following command c:\programefiles\microsoft sdks\windows\v6.0A\bin> svcutil The output.config and proxy class will be generated in the "c:\programefiles\microsoft sdks\windows\v6.0A\bin"  
Read more