If you develop an ASP.NET application that use Basic Authentication, take care to be sure to change the registry on your staging IIS server. What? Yes, If your application use role based security to securing your pages, adding a new security group to a Windows domain user don't automaticaly give access to theses pages.
Why? Because when you use Basic authentication, user tokens are cached in the token cache. By default, tokens remain in the cache for 15 minutes. If you log on using Basic authentication with an account that has a high level of user logon rights, a successful attacker could use the account to gain access to the resources on your computer.
The Microsoft article : http://wwwbeta.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/cf438d2c-f9c7-4351-bf56-d2ab950d7d6e.mspx?mfr=true
For a production environment, 15 minutes is correct but when you are on the staging environment it's very frustrating to wait 15 minutes between each security test. You can change the TTL by modifying a key in the registry.
How to change the registry key (Search for UserTokenTTL at the bottom of the page) : http://wwwbeta.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/cf438d2c-f9c7-4351-bf56-d2ab950d7d6e.mspx?mfr=true
Thanks
Dominic
Today, I gave a presentation at CodeCamp Montreal on ASP.NET/AJAX and Visual Studio 2008. Thanks to all attendees. You can download below my code and my powerpoint presentation.
Thanks
Dominic
If you develop an ASP.NET application that use Basic Authentication, take care to be sure to change the registry on your staging IIS server. What? Yes, If your application use role based security to securing your pages, adding a new security group to a Windows domain user don't automaticaly give access to theses pages.
Why? Because when you use Basic authentication, user tokens are cached in the token cache. By default, tokens remain in the cache for 15 minutes. If you log on using Basic authentication with an account that has a high level of user logon rights, a successful attacker could use the account to gain access to the resources on your computer.
The Microsoft article : http://wwwbeta.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/cf438d2c-f9c7-4351-bf56-d2ab950d7d6e.mspx?mfr=true
For a production environment, 15 minutes is correct but when you are on the staging environment it's very frustrating to wait 15 minutes between each security test. You can change the TTL by modifying a key in the registry.
How to change the registry key (Search for UserTokenTTL at the bottom of the page) : http://wwwbeta.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/cf438d2c-f9c7-4351-bf56-d2ab950d7d6e.mspx?mfr=true
Thanks
Dominic