forms authentication not authenticating

[Greg Burns]

I have built a web app that uses forms authentication. There isn't a
"remember me" feature (i.e. the authentication cookie is not permanent).
When you close the browser, and open a new one, you must log in again. This
is the behavior I expected.

I just discovered that if I have a browser window open (to anything) prior
to opening my web app in a new browser window, it appears to share session
information. I can then open and close my web app over and over and it
never makes me log in after the very first time if that first browser window
(which isn't even part of my app) remains open.

It there anything I can do about this?

Thanks,
Greg

 

[Tian Min Huang]

Hi Greg,

It is really strange since the browser has no relation to the asp.net web
application. Anyway, please check out your web.config file to see if there
is anything wrong.

Also, I suggest you try the steps in this article to create a form based
authentication asp.net web app. Please test on this new web app to see if
you could repro the problem.
"HOW TO: Implement Forms-Based Authentication in Your ASP.NET Application
by Using Visual Basic .NET"
http://support.microsoft.com/?id=308157

Regards,

HuangTM
Microsoft Online Partner Support
MCSE/MCSD

Get Secure! ¨C www.microsoft.com/security
This posting is provided ¡°as is¡± with no warranties and confers no rights.

 

[Greg Burns]

I did some more testing.

Try this to duplicate the problem:

Open a site that uses forms authentication. In my test I am using the
IBuySpy portal.

http://www.asp.net/IBS_Portal/DesktopDefault.aspx

Create account and sign in (do not check the remember login box). Creating
a shortcut on desktop (I think this is the important piece.) to the web
site.

Close all browser windows.

Open a new browser window to something (say www.yahoo.com)

Leave that window open, double click on the shortcut to IBuySpy portal.
Sign-in again. Close browser, leaving Yahoo open in first browser.
Double-click shortcut to IBuySpy again. Notice, you are still logged in!
Close window, repeat ad nauseam. :^)

Thanks,
Greg

 

[Greg Burns]

You can do the same thing by opening a browser window, then opening a a new
window from it (CTRL-N).

I am sure this is just the way it works, but it was confusing at first. Am
I correct in saying, it is because all these windows are sharing the same
session ID, hence the same authentication cookie? (I can see that they
are.)

I guess, double-clicking on a shortcut to a web site does the same thing as
a CTRL-N. Ie., it does not launch a new session. Bummer.

Thanks,
Greg

 

[Jim Cheshire]

Greg,

That's exactly what's happening. When you are using Forms authentication
and an unpersistant cookie, the cookie is in-memory. Apparently, Internet
Explorer is sharing that memory space when the window is opened via the
shortcut icon or a Ctrl-N. This is expected when you are using Ctrl-N or
Window, New Window. Obviously if that didn't share session state with the
original window, it would be undesirable for an Internet developer. (That
would also mean that a client-side window.open or a _blank target attribute
would also lose session state.)

This is by-design, although it may be counter-intuitive at first and may
provide undesirable results at times. The solution in your case is to make
sure that your Forms authentication ticket expires within a relatively
short timeframe.

Jim Cheshire
Developer Support
ASP.NET
(e-mail address removed)

This post is provided as-is with no warranties and confers no rights.

--------------------

From: "Greg Burns" <[email protected]>
References: <#[email protected]>

<[email protected]>