Hi,

I have discovered what I consider to be an annoyance at best and, in some scenarios, a security flaw. After browsing the news groups, I haven't found anybody complaining about it, which surprises me quite a bit.

When using Form Authentication in an ASPNET application, the user's identity is stored in a cookie on the client's computer.

Here is my scenario:

1. A computer is available to a group of workers.

2. Worker "W" logs into the ASPNET application and gets access to a specific set feature of features.

3. Worker "W" walks away, leaving his browser session open.

4. Some while late, Manager "M" walks to the same computer, starts a new browser session and logs into the ASPNET application, getting access to another set of features.

5. Manager "M" closes his browser and walks away from the computer.

6. Worker "W" comes back to the computer and refreshes his original browser session.

7. Surprise! The session orginally created by Worker "W" now gives him access to the Manager's feature set!


In other words, ASPNET Forms Authentication manages the identity at the client machine level.

I have 2 questions regarding this behaviour:

A) I am the only one bothered by this? (I so, I might convince myself to get over it ;-)

B) Is there any way I can manage identities at the Session level, thus allowing a single computer to have browser sessions opened concurrently with independant identities?


Thanks a lot!

--------------------------------
From: Francis Dion

-----------------------
Posted by a user from .NET 247 ([url]http://www.dotnet247.com/[/url])

<Id>9Giq0tzWKUOPYI3H+mWT8Q==</Id>