Professional Web Applications Themes

forms authentication not authenticating - ASP.NET General

I have built a web app that uses forms authentication. There isn't a "remember me" feature (i.e. the authentication cookie is not permanent). When you close the browser, and open a new one, you must log in again. This is the behavior I expected. I just discovered that if I have a browser window open (to anything) prior to opening my web app in a new browser window, it appears to share session information. I can then open and close my web app over and over and it never makes me log in after the very first time if that ...

  1. #1

    Default forms authentication not authenticating

    I have built a web app that uses forms authentication. There isn't a
    "remember me" feature (i.e. the authentication cookie is not permanent).
    When you close the browser, and open a new one, you must log in again. This
    is the behavior I expected.

    I just discovered that if I have a browser window open (to anything) prior
    to opening my web app in a new browser window, it appears to share session
    information. I can then open and close my web app over and over and it
    never makes me log in after the very first time if that first browser window
    (which isn't even part of my app) remains open.

    It there anything I can do about this?

    Thanks,
    Greg


    Greg Burns Guest

  2. #2

    Default RE: forms authentication not authenticating

    Hi Greg,

    It is really strange since the browser has no relation to the asp.net web
    application. Anyway, please check out your web.config file to see if there
    is anything wrong.

    Also, I suggest you try the steps in this article to create a form based
    authentication asp.net web app. Please test on this new web app to see if
    you could repro the problem.
    "HOW TO: Implement Forms-Based Authentication in Your ASP.NET Application
    by Using Visual Basic .NET"
    [url]http://support.microsoft.com/?id=308157[/url]

    Regards,

    HuangTM
    Microsoft Online Partner Support
    MCSE/MCSD

    Get Secure! 每 [url]www.microsoft.com/security[/url]
    This posting is provided ※as is§ with no warranties and confers no rights.


    Tian Min Huang Guest

  3. #3

    Default Re: forms authentication not authenticating

    I did some more testing.

    Try this to duplicate the problem:

    Open a site that uses forms authentication. In my test I am using the
    IBuySpy portal.

    [url]http://www.asp.net/IBS_Portal/DesktopDefault.aspx[/url]

    Create account and sign in (do not check the remember login box). Creating
    a shortcut on desktop (I think this is the important piece.) to the web
    site.

    Close all browser windows.

    Open a new browser window to something (say [url]www.[/url])

    Leave that window open, double click on the shortcut to IBuySpy portal.
    Sign-in again. Close browser, leaving Yahoo open in first browser.
    Double-click shortcut to IBuySpy again. Notice, you are still logged in!
    Close window, repeat ad nauseam. :^)

    Thanks,
    Greg



    "Tian Min Huang" <timhuangonline.microsoft.com> wrote in message
    news:oswAdEoUDHA.2152cpmsftngxa06.phx.gbl...
    > Hi Greg,
    >
    > It is really strange since the browser has no relation to the asp.net web
    > application. Anyway, please check out your web.config file to see if there
    > is anything wrong.
    >
    > Also, I suggest you try the steps in this article to create a form based
    > authentication asp.net web app. Please test on this new web app to see if
    > you could repro the problem.
    > "HOW TO: Implement Forms-Based Authentication in Your ASP.NET Application
    > by Using Visual Basic .NET"
    > [url]http://support.microsoft.com/?id=308157[/url]
    >
    > Regards,
    >
    > HuangTM
    > Microsoft Online Partner Support
    > MCSE/MCSD
    >
    > Get Secure! 每 [url]www.microsoft.com/security[/url]
    > This posting is provided ※as is§ with no warranties and confers no
    rights.
    >
    >

    Greg Burns Guest

  4. #4

    Default Re: forms authentication not authenticating

    You can do the same thing by opening a browser window, then opening a a new
    window from it (CTRL-N).

    I am sure this is just the way it works, but it was confusing at first. Am
    I correct in saying, it is because all these windows are sharing the same
    session ID, hence the same authentication cookie? (I can see that they
    are.)

    I guess, double-clicking on a shortcut to a web site does the same thing as
    a CTRL-N. Ie., it does not launch a new session. Bummer.

    Thanks,
    Greg


    "Jim Cheshire (MS)" <jamescheonline.microsoft.com> wrote in message
    news:OFQmsOUVDHA.2000cpmsftngxa06.phx.gbl...
    > Hi Greg,
    >
    > I can reproduce this issue easily. I am looking into it for you.
    >
    > Jim Cheshire
    > Developer Support
    > ASP.NET
    > [email]jamescheonline.microsoft.com[/email]
    >
    > This post is provided as-is with no warranties and confers no rights.
    >
    > --------------------
    > >From: "Greg Burns" <greg_burnshotmail.com>
    > >References: <#TWEU8gUDHA.2284TK2MSFTNGP11.phx.gbl>
    > <oswAdEoUDHA.2152cpmsftngxa06.phx.gbl>
    > >Subject: Re: forms authentication not authenticating
    > >Date: Mon, 28 Jul 2003 10:20:37 -0400
    > >Lines: 55
    > >X-Priority: 3
    > >X-MSMail-Priority: Normal
    > >X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
    > >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
    > >Message-ID: <#E1jsNRVDHA.2104TK2MSFTNGP10.phx.gbl>
    > >Newsgroups: microsoft.public.dotnet.framework.aspnet
    > >NNTP-Posting-Host: 146.145.213.7
    > >Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP10.phx.gbl
    > >Xref: cpmsftngxa06.phx.gbl
    microsoft.public.dotnet.framework.aspnet:162604
    > >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
    > >
    > >I did some more testing.
    > >
    > >Try this to duplicate the problem:
    > >
    > >Open a site that uses forms authentication. In my test I am using the
    > >IBuySpy portal.
    > >
    > >[url]http://www.asp.net/IBS_Portal/DesktopDefault.aspx[/url]
    > >
    > >Create account and sign in (do not check the remember login box).
    Creating
    > >a shortcut on desktop (I think this is the important piece.) to the web
    > >site.
    > >
    > >Close all browser windows.
    > >
    > >Open a new browser window to something (say [url]www.[/url])
    > >
    > >Leave that window open, double click on the shortcut to IBuySpy portal.
    > >Sign-in again. Close browser, leaving Yahoo open in first browser.
    > >Double-click shortcut to IBuySpy again. Notice, you are still logged in!
    > >Close window, repeat ad nauseam. :^)
    > >
    > >Thanks,
    > >Greg
    > >
    > >
    > >
    > >"Tian Min Huang" <timhuangonline.microsoft.com> wrote in message
    > >news:oswAdEoUDHA.2152cpmsftngxa06.phx.gbl...
    > >> Hi Greg,
    > >>
    > >> It is really strange since the browser has no relation to the asp.net
    web
    > >> application. Anyway, please check out your web.config file to see if
    > there
    > >> is anything wrong.
    > >>
    > >> Also, I suggest you try the steps in this article to create a form
    based
    > >> authentication asp.net web app. Please test on this new web app to see
    if
    > >> you could repro the problem.
    > >> "HOW TO: Implement Forms-Based Authentication in Your ASP.NET
    Application
    > >> by Using Visual Basic .NET"
    > >> [url]http://support.microsoft.com/?id=308157[/url]
    > >>
    > >> Regards,
    > >>
    > >> HuangTM
    > >> Microsoft Online Partner Support
    > >> MCSE/MCSD
    > >>
    > >> Get Secure! 每 [url]www.microsoft.com/security[/url]
    > >> This posting is provided ※as is§ with no warranties and confers no
    > >rights.
    > >>
    > >>
    > >
    > >
    > >
    >

    Greg Burns Guest

  5. #5

    Default Re: forms authentication not authenticating

    Greg,

    That's exactly what's happening. When you are using Forms authentication
    and an unpersistant cookie, the cookie is in-memory. Apparently, Internet
    Explorer is sharing that memory space when the window is opened via the
    shortcut icon or a Ctrl-N. This is expected when you are using Ctrl-N or
    Window, New Window. Obviously if that didn't share session state with the
    original window, it would be undesirable for an Internet developer. (That
    would also mean that a client-side window.open or a _blank target attribute
    would also lose session state.)

    This is by-design, although it may be counter-intuitive at first and may
    provide undesirable results at times. The solution in your case is to make
    sure that your Forms authentication ticket expires within a relatively
    short timeframe.

    Jim Cheshire
    Developer Support
    ASP.NET
    [email]jamescheonline.microsoft.com[/email]

    This post is provided as-is with no warranties and confers no rights.

    --------------------
    >From: "Greg Burns" <greg_burnshotmail.com>
    >References: <#TWEU8gUDHA.2284TK2MSFTNGP11.phx.gbl>
    <oswAdEoUDHA.2152cpmsftngxa06.phx.gbl>
    <#E1jsNRVDHA.2104TK2MSFTNGP10.phx.gbl>
    <OFQmsOUVDHA.2000cpmsftngxa06.phx.gbl>
    >Subject: Re: forms authentication not authenticating
    >Date: Mon, 28 Jul 2003 17:18:11 -0400
    >Lines: 112
    >X-Priority: 3
    >X-MSMail-Priority: Normal
    >X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
    >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
    >Message-ID: <e$NgB3UVDHA.3232tk2msftngp13.phx.gbl>
    >Newsgroups: microsoft.public.dotnet.framework.aspnet
    >NNTP-Posting-Host: 146.145.213.7
    >Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftn gp13.phx.gbl
    >Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.aspnet:162771
    >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
    >
    >You can do the same thing by opening a browser window, then opening a a new
    >window from it (CTRL-N).
    >
    >I am sure this is just the way it works, but it was confusing at first. Am
    >I correct in saying, it is because all these windows are sharing the same
    >session ID, hence the same authentication cookie? (I can see that they
    >are.)
    >
    >I guess, double-clicking on a shortcut to a web site does the same thing as
    >a CTRL-N. Ie., it does not launch a new session. Bummer.
    >
    >Thanks,
    >Greg
    >
    >
    >"Jim Cheshire (MS)" <jamescheonline.microsoft.com> wrote in message
    >news:OFQmsOUVDHA.2000cpmsftngxa06.phx.gbl...
    >> Hi Greg,
    >>
    >> I can reproduce this issue easily. I am looking into it for you.
    >>
    >> Jim Cheshire
    >> Developer Support
    >> ASP.NET
    >> [email]jamescheonline.microsoft.com[/email]
    >>
    >> This post is provided as-is with no warranties and confers no rights.
    >>
    >> --------------------
    >> >From: "Greg Burns" <greg_burnshotmail.com>
    >> >References: <#TWEU8gUDHA.2284TK2MSFTNGP11.phx.gbl>
    >> <oswAdEoUDHA.2152cpmsftngxa06.phx.gbl>
    >> >Subject: Re: forms authentication not authenticating
    >> >Date: Mon, 28 Jul 2003 10:20:37 -0400
    >> >Lines: 55
    >> >X-Priority: 3
    >> >X-MSMail-Priority: Normal
    >> >X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
    >> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
    >> >Message-ID: <#E1jsNRVDHA.2104TK2MSFTNGP10.phx.gbl>
    >> >Newsgroups: microsoft.public.dotnet.framework.aspnet
    >> >NNTP-Posting-Host: 146.145.213.7
    >> >Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP10.phx.gbl
    >> >Xref: cpmsftngxa06.phx.gbl
    >microsoft.public.dotnet.framework.aspnet:162604
    >> >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
    >> >
    >> >I did some more testing.
    >> >
    >> >Try this to duplicate the problem:
    >> >
    >> >Open a site that uses forms authentication. In my test I am using the
    >> >IBuySpy portal.
    >> >
    >> >[url]http://www.asp.net/IBS_Portal/DesktopDefault.aspx[/url]
    >> >
    >> >Create account and sign in (do not check the remember login box).
    >Creating
    >> >a shortcut on desktop (I think this is the important piece.) to the web
    >> >site.
    >> >
    >> >Close all browser windows.
    >> >
    >> >Open a new browser window to something (say [url]www.[/url])
    >> >
    >> >Leave that window open, double click on the shortcut to IBuySpy portal.
    >> >Sign-in again. Close browser, leaving Yahoo open in first browser.
    >> >Double-click shortcut to IBuySpy again. Notice, you are still logged
    in!
    >> >Close window, repeat ad nauseam. :^)
    >> >
    >> >Thanks,
    >> >Greg
    >> >
    >> >
    >> >
    >> >"Tian Min Huang" <timhuangonline.microsoft.com> wrote in message
    >> >news:oswAdEoUDHA.2152cpmsftngxa06.phx.gbl...
    >> >> Hi Greg,
    >> >>
    >> >> It is really strange since the browser has no relation to the asp.net
    >web
    >> >> application. Anyway, please check out your web.config file to see if
    >> there
    >> >> is anything wrong.
    >> >>
    >> >> Also, I suggest you try the steps in this article to create a form
    >based
    >> >> authentication asp.net web app. Please test on this new web app to see
    >if
    >> >> you could repro the problem.
    >> >> "HOW TO: Implement Forms-Based Authentication in Your ASP.NET
    >Application
    >> >> by Using Visual Basic .NET"
    >> >> [url]http://support.microsoft.com/?id=308157[/url]
    >> >>
    >> >> Regards,
    >> >>
    >> >> HuangTM
    >> >> Microsoft Online Partner Support
    >> >> MCSE/MCSD
    >> >>
    >> >> Get Secure! 每 [url]www.microsoft.com/security[/url]
    >> >> This posting is provided ※as is§ with no warranties and confers no
    >> >rights.
    >> >>
    >> >>
    >> >
    >> >
    >> >
    >>
    >
    >
    >
    Jim Cheshire Guest

Similar Threads

  1. Replies: 1
    Last Post: November 10th, 03:44 PM
  2. Replies: 3
    Last Post: March 2nd, 12:08 AM
  3. ASP.Net Forms authentication with basic authentication popup
    By Brett Porter in forum ASP.NET Security
    Replies: 2
    Last Post: January 20th, 02:17 PM
  4. Replies: 1
    Last Post: October 20th, 06:04 PM
  5. Authentication ticket, cookieless, forms authentication?
    By Lauchlan M in forum ASP.NET Security
    Replies: 0
    Last Post: October 1st, 12:23 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139