The application is already using Windows integrated security, not Forms. What I am trying to accomplish is a so called “step-up” authentication, or “force re-authentication” for the following scenario:
- the user is browsing the site doing common, trivial stuff
- suddenly, the user has to do a sensitive action such as authorizing
a resource allocation or confirming a car loan or something similar - the user is prompted for the credential before (s)he’s redirected to
the sensitive page, in a manner similar to SharePoint’s “Sign In as
a Different User” - if, and only if, the credentials entered are
the same as for the currently logged-in user the application
proceeds to the sensitive area.
This would prevent the following two issues:
- The user goes for a meeting or a coffee and forgets to lock the
workstation and a colleague uses the session to access the sensitive
area - The user enters the credentials of his or her boss (because, let’s
say he peeked over the boss’ shoulder) to access the sensitive area.
I know, some would look at this as “being paranoid”, but also some would say it’s common sense and should be build in a framework somewhere (jQuery or .NET)
Have the form send the credentials along with the request to perform the action, i.e., some actions require that you provide username/password. Use the PrincipalContext ValidateCredentials method to ensure that the proper credentials have been entered and check that the username supplied matches the current username in the
User.Identityobject.