locked
Security with MOSS 2007 RRS feed

  • Question

  • HI,

    I have a sharepoint site which uses Windows and Form based authentication. I need to implement a security setting such that when a user goes to another site and clicks back button, it must ask him to relogin.

    To be more specfic:

    Say I am on the sharepoint site http://mysharepoint.com .. In the address bar, I type yahoo.com . The yahoo page is loaded and now when I click back button. My authentication cookie is still alive and hence I am authenticated to the site. But I want to avoid this. I would like the user to be prompted for login credentials when he comes from another site.

    I would like to know what is the best practice to implement this for SharePoint site.

    Thanks in advance.

    Tuesday, November 9, 2010 10:02 PM

Answers

  • What you describe is pretty complex to implement.  Let me explain...

    Your site uses FBA for login which provides the requesting browser with a membership cookie.  After login, anywhere the user browses on the SharePoint site, the cookie deals with authentication.

    Now you are saying you want the cookie to expire.  That is a setting in your configuration of FBA and IIS, but the timeout value is fixed.  That means someone can logon to the site and navigate away and then navigate back to the site before the cookie expires and it would still be valid.

    What you want to do is to manually expire the FBA cookie when a user navigates to your SharePoint site from any non-SharePoint site.  This could be done by writing an ISAPI module that can track when the browser leaves your site and then expire the cookie.  When the user returns, the cookie is expired and they'd be prompted to login again.

    The complex part that I don't know if you can solve it per se is the use of the browser's BACK button.  If the page is cached, as most browsers do, then the back button won't re-request the page and the user would be looking at your SP page or rather the cached version thereof, and only if they click to navigate elsewhere within that page, would they be prompted to re-authenticate (provided the aforementioned ISAPI module is in place.)

    Therefore, in order to pull this off, you'd have to write the ISAPI module to expire the cookie AND you'd have to turn caching off in SharePoint.  This last part WILL MOST CERTAINLY cause performance degradation of your SP site experience... but... if you really want to do it... Start here:

    ISAPI module - http://msdn.microsoft.com/en-us/library/ms228090.aspx

    SP cache - http://technet.microsoft.com/en-us/library/cc298466(office.12).aspx

     


    I trust that answers your question...

    Thanks
    C

    http://www.cjvandyk.com/blog
    • Marked as answer by Leoyi Sun Thursday, November 11, 2010 9:45 AM
    Wednesday, November 10, 2010 4:04 PM
    Answerer
  • Hi,

     

    Thanks to share your post.

     

    Firstly, you need to check the Authentication Settings:

     

    Central Administration -> Application Management- > Authentication Providers,

    choose a Web Application and click the Default link to navigate to "Edit Authentication" page,

    and check that whether  "Integrated Windows authentication - NTLM" is selected in "IIS Authentication Settings" section.

     

    And if you use the IE browser,

    you may also add the SharePoint site to your IE trusted zone,

    and check whether the "Automatic logon with current user name and password" is selected under User.

     

    If there are still any issues, I think the following links may give you a hand:

     

    http://support.microsoft.com/kb/943280

     

    http://office.microsoft.com/download/afile.aspx?AssetID=AM102437421033.

     

    Hope this can help!

    Leo

    • Marked as answer by Leoyi Sun Thursday, November 11, 2010 9:45 AM
    Thursday, November 11, 2010 2:40 AM

All replies

  • What you describe is pretty complex to implement.  Let me explain...

    Your site uses FBA for login which provides the requesting browser with a membership cookie.  After login, anywhere the user browses on the SharePoint site, the cookie deals with authentication.

    Now you are saying you want the cookie to expire.  That is a setting in your configuration of FBA and IIS, but the timeout value is fixed.  That means someone can logon to the site and navigate away and then navigate back to the site before the cookie expires and it would still be valid.

    What you want to do is to manually expire the FBA cookie when a user navigates to your SharePoint site from any non-SharePoint site.  This could be done by writing an ISAPI module that can track when the browser leaves your site and then expire the cookie.  When the user returns, the cookie is expired and they'd be prompted to login again.

    The complex part that I don't know if you can solve it per se is the use of the browser's BACK button.  If the page is cached, as most browsers do, then the back button won't re-request the page and the user would be looking at your SP page or rather the cached version thereof, and only if they click to navigate elsewhere within that page, would they be prompted to re-authenticate (provided the aforementioned ISAPI module is in place.)

    Therefore, in order to pull this off, you'd have to write the ISAPI module to expire the cookie AND you'd have to turn caching off in SharePoint.  This last part WILL MOST CERTAINLY cause performance degradation of your SP site experience... but... if you really want to do it... Start here:

    ISAPI module - http://msdn.microsoft.com/en-us/library/ms228090.aspx

    SP cache - http://technet.microsoft.com/en-us/library/cc298466(office.12).aspx

     


    I trust that answers your question...

    Thanks
    C

    http://www.cjvandyk.com/blog
    • Marked as answer by Leoyi Sun Thursday, November 11, 2010 9:45 AM
    Wednesday, November 10, 2010 4:04 PM
    Answerer
  • Hi,

     

    Thanks to share your post.

     

    Firstly, you need to check the Authentication Settings:

     

    Central Administration -> Application Management- > Authentication Providers,

    choose a Web Application and click the Default link to navigate to "Edit Authentication" page,

    and check that whether  "Integrated Windows authentication - NTLM" is selected in "IIS Authentication Settings" section.

     

    And if you use the IE browser,

    you may also add the SharePoint site to your IE trusted zone,

    and check whether the "Automatic logon with current user name and password" is selected under User.

     

    If there are still any issues, I think the following links may give you a hand:

     

    http://support.microsoft.com/kb/943280

     

    http://office.microsoft.com/download/afile.aspx?AssetID=AM102437421033.

     

    Hope this can help!

    Leo

    • Marked as answer by Leoyi Sun Thursday, November 11, 2010 9:45 AM
    Thursday, November 11, 2010 2:40 AM
  • Thank you very much for your replies. I shall get back if I need any further help.
    Friday, November 12, 2010 3:42 PM