http://aspfree.com/asp/startpage.asp?id=72

<i><b>Originally posted by : Alan R. Parker (parkera@technosys.co.uk)</b></i><br />With reference to item 72 I'm been attempting to use the status/end methods to force reauthentication. I've found that I must use a session variable to 'decide' if authentication has occurred, for example<br /><br /><%<br />If Session("VALID") = false then<br /> Session("VALID") = true<br /> Response.Status = "401 Unauthorized"<br /> Response.AddHeader "WWW-Authenticate", "NTLM"<br /> Response.End<br />end if<br /><br />' if I dont use the above technique I'll be asked to relogin three times and then I'll get the failed message or a blank screen, ie my login limit is three, I get success audited threee time then its stops asking me<br />Now this works for that page, but the state of the session variable even if I set it explicitly to false later no longer prompts me to relogin.<br /> <br />If I use basic rather than ntlm, it seems to require reauthentication, in the ntlm case it appear to use the cached credentials.<br /><br />now Steve Schofield suggested adding<br /><br />response.expires = 0<br />response.expiresabsolute = Now() - 1<br />response.addHeader "pragma","no-cache"<br />response.addHeader "cache-control","private"<br />Response.CacheControl = "no-cache"<br /><br />to the pages but that doesnt appear to make much/any difference.<br /><br />I tried cranking down the session timeout to 1 but I might need multiple autneications in that single minute so its not low enough and 0 (rightly) gives an error.<br /><br />Might the option be to force a session abandon... ?<br /><br /><br />Arp