SharePoint Dragons

Nikander & Margriet on SharePoint

Can I leave the lights on?

Somebody wanted to know what would happen if:

  1. You add a user to an AD group
  2. You give SharePoint site access to each member of this group
  3. The end user accesses the SharePoint site
  4. You remove a user from a group
  5. The end user doesn’t log off from his desktop and maintains the token he got from AD
  6. The next day, the end user tries to access the SharePoint site again.

As you would expect, the end user won’t be able to access the SharePoint site. In Windows authentication mode, every time an end user is validated a session cookie is set containing an MSCSAuth ticket ( http://msdn.microsoft.com/en-us/library/ee796739(v=cs.20).aspx ). No explicit expiration data is set for this cookie, and the cookie will be deleted automatically after the session expires. This happens after a period of inactivity. This time out period is 20 minutes by default and is set in the TimeOut property of the SessionStateSection class ( http://msdn.microsoft.com/en-us/library/ms691403(v=vs.90).aspx ).

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: