When using HTTP based authentication (e.g. Basic, NTLM, Digest, Kerberos), Internet Explorer (IE) will continue sending the same credentials for each subsequent request to the server until one of two things happens: either (a) the user closes their browser or (b) the server refuses the credentials with a 401 status code. This behaviour is described (about 1/3 of the way down, under Notes) in KB 264921.

A common request I see is how a programmer force a user to reauthenticate after a certain period, particularly after a period of inactivity. This might address a situation where a user has accidently left their machine unlocked and their browser window open, or where an application based session has expired, and the programmer wants to simultaneously force the user to reauthenticate.

In the past I would have recommended one of three strategies:

  • Programmatically send a 401 HTTP status to the client (e.g. Response.Status = 401)
  • Redirect a user to http://fakeuser:wrongpassword@www.yoursite.com (this doesn't work with patched IE6 anymore). Since fakeuser/wrongpassword isn't a valid Windows account, the user will be prompted to enter valid credentials
  • Use the client-side ActiveX control described in KB 195192

With the exception of the first option (setting the Response.Status), the methods are mostly ugly hacks IMHO.

Now, we have a new way of clearing the IE authentication cache. Beginning with IE6 SP1 the following piece of javascript code will clear IE's credentials cache. Note, that this will clear the credentials cache for the entire iexplore.exe process, so users will be forced to re-authenticate to any site being accessed by that process (in case they have multiple windows open pointing to multiple websites):

// Clear current credentials
// Requires IE6 SP1 or later
document.execCommand(ClearAuthenticationCache, false)

More information can be found in MSDN: ClearAuthenticationCache and execCommand