forms authentication not authenticating

[Greg Burns]

I have built a web app that uses forms authentication. There isn't a
"remember me" feature (i.e. the authentication cookie is not permanent).
When you close the browser, and open a new one, you must log in again. This
is the behavior I expected.

I just discovered that if I have a browser window open (to anything) prior
to opening my web app in a new browser window, it appears to share session
information. I can then open and close my web app over and over and it
never makes me log in after the very first time if that first browser window
(which isn't even part of my app) remains open.

It there anything I can do about this?

Thanks,
Greg

[Tian Min Huang]

Hi Greg,

It is really strange since the browser has no relation to the asp.net web
application. Anyway, please check out your web.config file to see if there
is anything wrong.

Also, I suggest you try the steps in this article to create a form based
authentication asp.net web app. Please test on this new web app to see if
you could repro the problem.
"HOW TO: Implement Forms-Based Authentication in Your ASP.NET Application
by Using Visual Basic .NET"
[url]http://support.microsoft.com/?id=308157[/url]

Regards,

HuangTM
Microsoft Online Partner Support
MCSE/MCSD

Get Secure! ¨C [url]www.microsoft.com/security[/url]
This posting is provided ¡°as is¡± with no warranties and confers no rights.

[Greg Burns]

I did some more testing.

Try this to duplicate the problem:

Open a site that uses forms authentication. In my test I am using the
IBuySpy portal.

[url]http://www.asp.net/IBS_Portal/DesktopDefault.aspx[/url]

Create account and sign in (do not check the remember login box). Creating
a shortcut on desktop (I think this is the important piece.) to the web
site.

Close all browser windows.

Open a new browser window to something (say [url]www.yahoo.com[/url])

Leave that window open, double click on the shortcut to IBuySpy portal.
Sign-in again. Close browser, leaving Yahoo open in first browser.
Double-click shortcut to IBuySpy again. Notice, you are still logged in!
Close window, repeat ad nauseam. :^)

Thanks,
Greg



"Tian Min Huang" <timhuang@online.microsoft.com> wrote in message
news:oswAdEoUDHA.2152@cpmsftngxa06.phx.gbl...

> Hi Greg,
>
> It is really strange since the browser has no relation to the asp.net web
> application. Anyway, please check out your web.config file to see if there
> is anything wrong.
>
> Also, I suggest you try the steps in this article to create a form based
> authentication asp.net web app. Please test on this new web app to see if
> you could repro the problem.
> "HOW TO: Implement Forms-Based Authentication in Your ASP.NET Application
> by Using Visual Basic .NET"
> [url]http://support.microsoft.com/?id=308157[/url]
>
> Regards,
>
> HuangTM
> Microsoft Online Partner Support
> MCSE/MCSD
>
> Get Secure! ¨C [url]www.microsoft.com/security[/url]
> This posting is provided ¡°as is¡± with no warranties and confers no

rights.

>
>

[Greg Burns]

You can do the same thing by opening a browser window, then opening a a new
window from it (CTRL-N).

I am sure this is just the way it works, but it was confusing at first. Am
I correct in saying, it is because all these windows are sharing the same
session ID, hence the same authentication cookie? (I can see that they
are.)

I guess, double-clicking on a shortcut to a web site does the same thing as
a CTRL-N. Ie., it does not launch a new session. Bummer.

Thanks,
Greg


"Jim Cheshire (MS)" <jamesche@online.microsoft.com> wrote in message
news:OFQmsOUVDHA.2000@cpmsftngxa06.phx.gbl...

> Hi Greg,
>
> I can reproduce this issue easily. I am looking into it for you.
>
> Jim Cheshire
> Developer Support
> ASP.NET
> [email]jamesche@online.microsoft.com[/email]
>
> This post is provided as-is with no warranties and confers no rights.
>
> --------------------

> >From: "Greg Burns" <greg_burns@hotmail.com>
> >References: <#TWEU8gUDHA.2284@TK2MSFTNGP11.phx.gbl>

> <oswAdEoUDHA.2152@cpmsftngxa06.phx.gbl>

> >Subject: Re: forms authentication not authenticating
> >Date: Mon, 28 Jul 2003 10:20:37 -0400
> >Lines: 55
> >X-Priority: 3
> >X-MSMail-Priority: Normal
> >X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
> >Message-ID: <#E1jsNRVDHA.2104@TK2MSFTNGP10.phx.gbl>
> >Newsgroups: microsoft.public.dotnet.framework.aspnet
> >NNTP-Posting-Host: 146.145.213.7
> >Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP10.phx.gbl
> >Xref: cpmsftngxa06.phx.gbl

microsoft.public.dotnet.framework.aspnet:162604

> >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
> >
> >I did some more testing.
> >
> >Try this to duplicate the problem:
> >
> >Open a site that uses forms authentication. In my test I am using the
> >IBuySpy portal.
> >
> >[url]http://www.asp.net/IBS_Portal/DesktopDefault.aspx[/url]
> >
> >Create account and sign in (do not check the remember login box).

Creating

> >a shortcut on desktop (I think this is the important piece.) to the web
> >site.
> >
> >Close all browser windows.
> >
> >Open a new browser window to something (say [url]www.yahoo.com[/url])
> >
> >Leave that window open, double click on the shortcut to IBuySpy portal.
> >Sign-in again. Close browser, leaving Yahoo open in first browser.
> >Double-click shortcut to IBuySpy again. Notice, you are still logged in!
> >Close window, repeat ad nauseam. :^)
> >
> >Thanks,
> >Greg
> >
> >
> >
> >"Tian Min Huang" <timhuang@online.microsoft.com> wrote in message
> >news:oswAdEoUDHA.2152@cpmsftngxa06.phx.gbl...

> >> Hi Greg,
> >>
> >> It is really strange since the browser has no relation to the asp.net

web

> >> application. Anyway, please check out your web.config file to see if

> there

> >> is anything wrong.
> >>
> >> Also, I suggest you try the steps in this article to create a form

based

> >> authentication asp.net web app. Please test on this new web app to see

if

> >> you could repro the problem.
> >> "HOW TO: Implement Forms-Based Authentication in Your ASP.NET

Application

> >> by Using Visual Basic .NET"
> >> [url]http://support.microsoft.com/?id=308157[/url]
> >>
> >> Regards,
> >>
> >> HuangTM
> >> Microsoft Online Partner Support
> >> MCSE/MCSD
> >>
> >> Get Secure! ¨C [url]www.microsoft.com/security[/url]
> >> This posting is provided ¡°as is¡± with no warranties and confers no

> >rights.

> >>
> >>

> >
> >
> >

>

[Jim Cheshire]

Greg,

That's exactly what's happening. When you are using Forms authentication
and an unpersistant cookie, the cookie is in-memory. Apparently, Internet
Explorer is sharing that memory space when the window is opened via the
shortcut icon or a Ctrl-N. This is expected when you are using Ctrl-N or
Window, New Window. Obviously if that didn't share session state with the
original window, it would be undesirable for an Internet developer. (That
would also mean that a client-side window.open or a _blank target attribute
would also lose session state.)

This is by-design, although it may be counter-intuitive at first and may
provide undesirable results at times. The solution in your case is to make
sure that your Forms authentication ticket expires within a relatively
short timeframe.

Jim Cheshire
Developer Support
ASP.NET
[email]jamesche@online.microsoft.com[/email]

This post is provided as-is with no warranties and confers no rights.

--------------------

>From: "Greg Burns" <greg_burns@hotmail.com>
>References: <#TWEU8gUDHA.2284@TK2MSFTNGP11.phx.gbl>

<oswAdEoUDHA.2152@cpmsftngxa06.phx.gbl>
<#E1jsNRVDHA.2104@TK2MSFTNGP10.phx.gbl>
<OFQmsOUVDHA.2000@cpmsftngxa06.phx.gbl>

>Subject: Re: forms authentication not authenticating
>Date: Mon, 28 Jul 2003 17:18:11 -0400
>Lines: 112
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
>Message-ID: <e$NgB3UVDHA.3232@tk2msftngp13.phx.gbl>
>Newsgroups: microsoft.public.dotnet.framework.aspnet
>NNTP-Posting-Host: 146.145.213.7
>Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftn gp13.phx.gbl
>Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.aspnet:162771
>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
>
>You can do the same thing by opening a browser window, then opening a a new
>window from it (CTRL-N).
>
>I am sure this is just the way it works, but it was confusing at first. Am
>I correct in saying, it is because all these windows are sharing the same
>session ID, hence the same authentication cookie? (I can see that they
>are.)
>
>I guess, double-clicking on a shortcut to a web site does the same thing as
>a CTRL-N. Ie., it does not launch a new session. Bummer.
>
>Thanks,
>Greg
>
>
>"Jim Cheshire (MS)" <jamesche@online.microsoft.com> wrote in message
>news:OFQmsOUVDHA.2000@cpmsftngxa06.phx.gbl...

>> Hi Greg,
>>
>> I can reproduce this issue easily. I am looking into it for you.
>>
>> Jim Cheshire
>> Developer Support
>> ASP.NET
>> [email]jamesche@online.microsoft.com[/email]
>>
>> This post is provided as-is with no warranties and confers no rights.
>>
>> --------------------

>> >From: "Greg Burns" <greg_burns@hotmail.com>
>> >References: <#TWEU8gUDHA.2284@TK2MSFTNGP11.phx.gbl>

>> <oswAdEoUDHA.2152@cpmsftngxa06.phx.gbl>

>> >Subject: Re: forms authentication not authenticating
>> >Date: Mon, 28 Jul 2003 10:20:37 -0400
>> >Lines: 55
>> >X-Priority: 3
>> >X-MSMail-Priority: Normal
>> >X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
>> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
>> >Message-ID: <#E1jsNRVDHA.2104@TK2MSFTNGP10.phx.gbl>
>> >Newsgroups: microsoft.public.dotnet.framework.aspnet
>> >NNTP-Posting-Host: 146.145.213.7
>> >Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP10.phx.gbl
>> >Xref: cpmsftngxa06.phx.gbl

>microsoft.public.dotnet.framework.aspnet:162604

>> >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
>> >
>> >I did some more testing.
>> >
>> >Try this to duplicate the problem:
>> >
>> >Open a site that uses forms authentication. In my test I am using the
>> >IBuySpy portal.
>> >
>> >[url]http://www.asp.net/IBS_Portal/DesktopDefault.aspx[/url]
>> >
>> >Create account and sign in (do not check the remember login box).

>Creating

>> >a shortcut on desktop (I think this is the important piece.) to the web
>> >site.
>> >
>> >Close all browser windows.
>> >
>> >Open a new browser window to something (say [url]www.yahoo.com[/url])
>> >
>> >Leave that window open, double click on the shortcut to IBuySpy portal.
>> >Sign-in again. Close browser, leaving Yahoo open in first browser.
>> >Double-click shortcut to IBuySpy again. Notice, you are still logged

in!

>> >Close window, repeat ad nauseam. :^)
>> >
>> >Thanks,
>> >Greg
>> >
>> >
>> >
>> >"Tian Min Huang" <timhuang@online.microsoft.com> wrote in message
>> >news:oswAdEoUDHA.2152@cpmsftngxa06.phx.gbl...
>> >> Hi Greg,
>> >>
>> >> It is really strange since the browser has no relation to the asp.net

>web

>> >> application. Anyway, please check out your web.config file to see if

>> there

>> >> is anything wrong.
>> >>
>> >> Also, I suggest you try the steps in this article to create a form

>based

>> >> authentication asp.net web app. Please test on this new web app to see

>if

>> >> you could repro the problem.
>> >> "HOW TO: Implement Forms-Based Authentication in Your ASP.NET

>Application

>> >> by Using Visual Basic .NET"
>> >> [url]http://support.microsoft.com/?id=308157[/url]
>> >>
>> >> Regards,
>> >>
>> >> HuangTM
>> >> Microsoft Online Partner Support
>> >> MCSE/MCSD
>> >>
>> >> Get Secure! ¨C [url]www.microsoft.com/security[/url]
>> >> This posting is provided ¡°as is¡± with no warranties and confers no
>> >rights.
>> >>
>> >>
>> >
>> >
>> >

>>

>
>
>