IIS 6.0 Basic Authentication Token Caching
When using Basic Authentication, with or without SSL, in IIS 6.0, the token created on the IIS server after authenticating the credentials provided by the browser is cached for 15 min, by default. The effect of token caching is that when another request is sent using the same credentials, be it from the same or another computer/browser, the IIS server will not need to validate the credential again with its domain controller or authentication provider, thus, resulting in increased server response time
On the other hand, if it is set to a longer time, it makes IIS server less secure and vulnerable from replay or spoofiing attack as it does not re-authenticate the credentials again. Think about this, you have changed the user account password on the server-side or may have deleted the account from the domain. But the authentication using the old/deleted credentials will still be succeeded even if it is sent using a newly open browser from another client machine.
You can adjust the TTL of the token by using registry editor. Set UserTokenTTL (DWORD) in registry key, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InetInfo\Parameters. The value of second is set using hexadecimal numbers, and the default value is 0x384 (15*60 = 900).
Setting this value to zero (0) means indefinite TTL for authenticated token as it will disable TTL-based token flushing. You can use FlushTokenCache to control if IIS should immediately flush all tokens in the user token cache.
So what are consequences of adjusting UserTokenTTL value?
For web site using Anonymous access, you may gain better performance by setting to a longer TTL value. However, a longer TTL value definitely creates security problems for sites accessed using high-privileged account, such as remote administration site. I would recommend using a shorter token TTL or disable token caching for such scenarios.
But again, if you are using Basic authentication mainly on most of the sites and you have disabled the token cache, causing IIS to validate every request made to any of the web pages, you will encounter a negative effect on performance.
Having said that, it is important to note that UserTokenTTL value is global registry setting and not per-site. You will have to decide on the appropriate value that suits majority of the sites hosted on the server.
Read more about Basic Authentication on Microsoft TechNet site.
Basic Authentication
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/cf438d2c-f9c7-4351-bf56-d2ab950d7d6e.mspx?mfr=true
Configuring Token Cache for Basic Authentication
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/6b2e7fcd-5fad-4ac8-ac0a-dcfbe771e9e1.mspx?mfr=true