>It's not difficult to write this type of filter, however, it's relatively expensive in terms of processing load because any Auth
>filters get called on every request. Lot of throughput through the filter...
What we have plan is to unsecure the first page which will fire the ISAPI to prompt the user for this username and password. If expired, will react with the form to update his password. Then, we forward to our secure location. So, this ISAPI will only be call at first. But, it will also be responsible to establish the basic authentification as if it was coming from the browser.
What do you think?