Session-specific Auth Cookie

Discussion in 'ASP .Net Security' started by Matt Braun, Feb 2, 2006.

  1. Matt Braun

    Matt Braun Guest

    I'm testing an ASP.NET 2.0 Application that uses Forms Authentication, a
    custom Security Provider, and the built-in asp:Login server control. I've
    discovered that if I open two or more separate instances of a given browser
    (ie; 2+ instances of IE or 2+ instances of FireFox) and log in to one browser
    using one set of credentials and the other using another set that spordically
    the browsers begin sharing the information about who is logged and, thus, I
    can only effectively be logged in as one person at a time from a given
    machine.

    Generally - in IE - if I only use the buttons in the application to move
    around then I'm okay but if I hit the browser's back button it tends to
    change me over to the credentials of whichever user I most recently loaded a
    page for.

    In Firefox, the behavior is a bit different - it consistently shares the
    information across all instances no matter if I'm clicking through only using
    buttons/links in the app or if I'm using my back button.

    Naturally, if I have FireFox and IE open at the same time, they don't share
    the data and I *can* run two separate logged in users from the same machine.
    Based on this behavior, I think that what is happening is that the .ASPAUTHX
    cookie is being shared across my sessions in any given version of browser.

    1. Can anyone confirm that what I'm seeing is expected behavior? Should
    ..ASPXAuth cookies (for a single application) be shared globally across all
    instances of given browser?

    2. Is it possible to enforce .ASPAUTHX cookies to be session-specific to
    allow for having two instances of IE open at the same time but logged in as
    two different users?
    Matt Braun, Feb 2, 2006
    #1
    1. Advertising

  2. Hi,

    this sounds like you are persisting the cookie on the harddrive.

    Usually the auth cookie is a temporary cookie per session. However - if you
    start a new IE instance using ctrl+n e.g. they share the temporary cookies.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > I'm testing an ASP.NET 2.0 Application that uses Forms Authentication,
    > a custom Security Provider, and the built-in asp:Login server control.
    > I've discovered that if I open two or more separate instances of a
    > given browser (ie; 2+ instances of IE or 2+ instances of FireFox) and
    > log in to one browser using one set of credentials and the other using
    > another set that spordically the browsers begin sharing the
    > information about who is logged and, thus, I can only effectively be
    > logged in as one person at a time from a given machine.
    >
    > Generally - in IE - if I only use the buttons in the application to
    > move around then I'm okay but if I hit the browser's back button it
    > tends to change me over to the credentials of whichever user I most
    > recently loaded a page for.
    >
    > In Firefox, the behavior is a bit different - it consistently shares
    > the information across all instances no matter if I'm clicking through
    > only using buttons/links in the app or if I'm using my back button.
    >
    > Naturally, if I have FireFox and IE open at the same time, they don't
    > share the data and I *can* run two separate logged in users from the
    > same machine. Based on this behavior, I think that what is happening
    > is that the .ASPAUTHX cookie is being shared across my sessions in any
    > given version of browser.
    >
    > 1. Can anyone confirm that what I'm seeing is expected behavior?
    > Should .ASPXAuth cookies (for a single application) be shared globally
    > across all instances of given browser?
    >
    > 2. Is it possible to enforce .ASPAUTHX cookies to be session-specific
    > to allow for having two instances of IE open at the same time but
    > logged in as two different users?
    >
    Dominick Baier [DevelopMentor], Feb 2, 2006
    #2
    1. Advertising

  3. Matt Braun

    Matt Braun Guest

    I agree and what you describe is the behavior I was expecting - that each
    session would have its own auth cookie. My code (neither the web app nor the
    custom security provider) doesn't write the cookie though since I'm relying
    on ASP.NET's forms authentication to handle that. As such, I'm uncertain why
    I'm not experiencing the behavior we both expect.

    Further ideas on why ASP.NET would be writing the cookie in a way that makes
    it shared? If I look at the cookie in FireFox is does indeed identify itself
    as a "Expire At End Of Session" so, at least to that degree, it seems to be
    marked as Session cookie.

    "Dominick Baier [DevelopMentor]" wrote:

    > Hi,
    >
    > this sounds like you are persisting the cookie on the harddrive.
    >
    > Usually the auth cookie is a temporary cookie per session. However - if you
    > start a new IE instance using ctrl+n e.g. they share the temporary cookies.
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    > > I'm testing an ASP.NET 2.0 Application that uses Forms Authentication,
    > > a custom Security Provider, and the built-in asp:Login server control.
    > > I've discovered that if I open two or more separate instances of a
    > > given browser (ie; 2+ instances of IE or 2+ instances of FireFox) and
    > > log in to one browser using one set of credentials and the other using
    > > another set that spordically the browsers begin sharing the
    > > information about who is logged and, thus, I can only effectively be
    > > logged in as one person at a time from a given machine.
    > >
    > > Generally - in IE - if I only use the buttons in the application to
    > > move around then I'm okay but if I hit the browser's back button it
    > > tends to change me over to the credentials of whichever user I most
    > > recently loaded a page for.
    > >
    > > In Firefox, the behavior is a bit different - it consistently shares
    > > the information across all instances no matter if I'm clicking through
    > > only using buttons/links in the app or if I'm using my back button.
    > >
    > > Naturally, if I have FireFox and IE open at the same time, they don't
    > > share the data and I *can* run two separate logged in users from the
    > > same machine. Based on this behavior, I think that what is happening
    > > is that the .ASPAUTHX cookie is being shared across my sessions in any
    > > given version of browser.
    > >
    > > 1. Can anyone confirm that what I'm seeing is expected behavior?
    > > Should .ASPXAuth cookies (for a single application) be shared globally
    > > across all instances of given browser?
    > >
    > > 2. Is it possible to enforce .ASPAUTHX cookies to be session-specific
    > > to allow for having two instances of IE open at the same time but
    > > logged in as two different users?
    > >

    >
    >
    >
    Matt Braun, Feb 2, 2006
    #3
  4. Hi,

    get a tool like www.fiddlertool.com and poke around in the http traffic -
    i am not sure what the reason could be - never experienced that.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > I agree and what you describe is the behavior I was expecting - that
    > each session would have its own auth cookie. My code (neither the web
    > app nor the custom security provider) doesn't write the cookie though
    > since I'm relying on ASP.NET's forms authentication to handle that.
    > As such, I'm uncertain why I'm not experiencing the behavior we both
    > expect.
    >
    > Further ideas on why ASP.NET would be writing the cookie in a way that
    > makes it shared? If I look at the cookie in FireFox is does indeed
    > identify itself as a "Expire At End Of Session" so, at least to that
    > degree, it seems to be marked as Session cookie.
    >
    > "Dominick Baier [DevelopMentor]" wrote:
    >
    >> Hi,
    >>
    >> this sounds like you are persisting the cookie on the harddrive.
    >>
    >> Usually the auth cookie is a temporary cookie per session. However -
    >> if you start a new IE instance using ctrl+n e.g. they share the
    >> temporary cookies.
    >>
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> I'm testing an ASP.NET 2.0 Application that uses Forms
    >>> Authentication, a custom Security Provider, and the built-in
    >>> asp:Login server control. I've discovered that if I open two or more
    >>> separate instances of a given browser (ie; 2+ instances of IE or 2+
    >>> instances of FireFox) and log in to one browser using one set of
    >>> credentials and the other using another set that spordically the
    >>> browsers begin sharing the information about who is logged and,
    >>> thus, I can only effectively be logged in as one person at a time
    >>> from a given machine.
    >>>
    >>> Generally - in IE - if I only use the buttons in the application to
    >>> move around then I'm okay but if I hit the browser's back button it
    >>> tends to change me over to the credentials of whichever user I most
    >>> recently loaded a page for.
    >>>
    >>> In Firefox, the behavior is a bit different - it consistently shares
    >>> the information across all instances no matter if I'm clicking
    >>> through only using buttons/links in the app or if I'm using my back
    >>> button.
    >>>
    >>> Naturally, if I have FireFox and IE open at the same time, they
    >>> don't share the data and I *can* run two separate logged in users
    >>> from the same machine. Based on this behavior, I think that what is
    >>> happening is that the .ASPAUTHX cookie is being shared across my
    >>> sessions in any given version of browser.
    >>>
    >>> 1. Can anyone confirm that what I'm seeing is expected behavior?
    >>> Should .ASPXAuth cookies (for a single application) be shared
    >>> globally across all instances of given browser?
    >>>
    >>> 2. Is it possible to enforce .ASPAUTHX cookies to be
    >>> session-specific to allow for having two instances of IE open at the
    >>> same time but logged in as two different users?
    >>>
    Dominick Baier [DevelopMentor], Feb 2, 2006
    #4
  5. When I see problems like this, it often has to do with confusion between a
    browser window and a browser process and how session cookies work.

    IE (and probably Firefox it sounds like) will share session cookies across
    the entire process. Here, a "session cookie" is the kind of cookie that is
    not written to disk. It is kept in memory by the browser process and "goes
    away" when the process terminates.

    A browser process can have multiple windows though. You see this all the
    time when you do ctrl+N in IE or right click "new window". A such, those
    windows will all send the same cookies back to the server. Since session
    state in IE is cookie based, all of those browser windows will use the same
    session state.

    However, it is also possible to have multiple IE processes running at the
    same time. These will not share session cookies.

    I agree with Dominick that using a tool like Fiddler or a plugin like
    ieHttpHeaders for IE (or the built in header stuff in Firefox) is a good way
    to see which cookies an invidual browser window is receiving and sending so
    you can see what's going on.

    HTH,

    Joe K.

    "Matt Braun" <> wrote in message
    news:...
    >I agree and what you describe is the behavior I was expecting - that each
    > session would have its own auth cookie. My code (neither the web app nor
    > the
    > custom security provider) doesn't write the cookie though since I'm
    > relying
    > on ASP.NET's forms authentication to handle that. As such, I'm uncertain
    > why
    > I'm not experiencing the behavior we both expect.
    >
    > Further ideas on why ASP.NET would be writing the cookie in a way that
    > makes
    > it shared? If I look at the cookie in FireFox is does indeed identify
    > itself
    > as a "Expire At End Of Session" so, at least to that degree, it seems to
    > be
    > marked as Session cookie.
    >
    > "Dominick Baier [DevelopMentor]" wrote:
    >
    >> Hi,
    >>
    >> this sounds like you are persisting the cookie on the harddrive.
    >>
    >> Usually the auth cookie is a temporary cookie per session. However - if
    >> you
    >> start a new IE instance using ctrl+n e.g. they share the temporary
    >> cookies.
    >>
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>
    >> > I'm testing an ASP.NET 2.0 Application that uses Forms Authentication,
    >> > a custom Security Provider, and the built-in asp:Login server control.
    >> > I've discovered that if I open two or more separate instances of a
    >> > given browser (ie; 2+ instances of IE or 2+ instances of FireFox) and
    >> > log in to one browser using one set of credentials and the other using
    >> > another set that spordically the browsers begin sharing the
    >> > information about who is logged and, thus, I can only effectively be
    >> > logged in as one person at a time from a given machine.
    >> >
    >> > Generally - in IE - if I only use the buttons in the application to
    >> > move around then I'm okay but if I hit the browser's back button it
    >> > tends to change me over to the credentials of whichever user I most
    >> > recently loaded a page for.
    >> >
    >> > In Firefox, the behavior is a bit different - it consistently shares
    >> > the information across all instances no matter if I'm clicking through
    >> > only using buttons/links in the app or if I'm using my back button.
    >> >
    >> > Naturally, if I have FireFox and IE open at the same time, they don't
    >> > share the data and I *can* run two separate logged in users from the
    >> > same machine. Based on this behavior, I think that what is happening
    >> > is that the .ASPAUTHX cookie is being shared across my sessions in any
    >> > given version of browser.
    >> >
    >> > 1. Can anyone confirm that what I'm seeing is expected behavior?
    >> > Should .ASPXAuth cookies (for a single application) be shared globally
    >> > across all instances of given browser?
    >> >
    >> > 2. Is it possible to enforce .ASPAUTHX cookies to be session-specific
    >> > to allow for having two instances of IE open at the same time but
    >> > logged in as two different users?
    >> >

    >>
    >>
    >>
    Joe Kaplan \(MVP - ADSI\), Feb 3, 2006
    #5
  6. Matt Braun

    Matt Braun Guest

    To eliminate the chance that something specific to my implementation was
    causing this, I've created a simple project that uses the
    ReadOnlyXmlMembershipProvider (from
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnaspp/html/ASPNETProvMod_Prt1.asp)
    and demonstrates in a finite number of steps what is happening.

    I've replicated the problem on Windows XP SP2 with IE 6.0 and with FireFox
    1.0.7 and on Mac OSX 10.4.4 with Safari 2.0.3 so I'm confident it's not a
    client issue.

    To see the problem in action, look here and follow the instructions at the
    top of the page: http://www.ization.com/authtest/default.aspx

    To download the project and see the code the runs the example, look here:
    http://www.ization.com/authtest/authtest.zip

    Hopefully there's a simple setting that I'm overlooking that will fix this.
    (At this point, I'll even take a complex solution, though!)

    I look forward to your help.

    Matt

    "Matt Braun" wrote:

    > I'm testing an ASP.NET 2.0 Application that uses Forms Authentication, a
    > custom Security Provider, and the built-in asp:Login server control. I've
    > discovered that if I open two or more separate instances of a given browser
    > (ie; 2+ instances of IE or 2+ instances of FireFox) and log in to one browser
    > using one set of credentials and the other using another set that spordically
    > the browsers begin sharing the information about who is logged and, thus, I
    > can only effectively be logged in as one person at a time from a given
    > machine.
    >
    > Generally - in IE - if I only use the buttons in the application to move
    > around then I'm okay but if I hit the browser's back button it tends to
    > change me over to the credentials of whichever user I most recently loaded a
    > page for.
    >
    > In Firefox, the behavior is a bit different - it consistently shares the
    > information across all instances no matter if I'm clicking through only using
    > buttons/links in the app or if I'm using my back button.
    >
    > Naturally, if I have FireFox and IE open at the same time, they don't share
    > the data and I *can* run two separate logged in users from the same machine.
    > Based on this behavior, I think that what is happening is that the .ASPAUTHX
    > cookie is being shared across my sessions in any given version of browser.
    >
    > 1. Can anyone confirm that what I'm seeing is expected behavior? Should
    > .ASPXAuth cookies (for a single application) be shared globally across all
    > instances of given browser?
    >
    > 2. Is it possible to enforce .ASPAUTHX cookies to be session-specific to
    > allow for having two instances of IE open at the same time but logged in as
    > two different users?
    Matt Braun, Feb 3, 2006
    #6
  7. Hello,

    How did you open a new IE window? Click menu "File\New\Window", or click
    "Start" button on desktop and "All programs/Internet Explorer"? And will it
    make difference if you open IE in different way? I agree with Joe about
    that the session will be shared in a IE process. If you just open a new IE
    window by
    cClicking menu "File\New\Window", they will be in same session.
    Luke Zhang
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
    Luke Zhang [MSFT], Feb 6, 2006
    #7
  8. Matt Braun

    Matt Braun Guest

    I am opening a new instance of IE by accessing IE on the Start Menu two
    different times. That's why I'm perplexed by the behavior; I would expect
    the session to cross browsers in the same process but not those in different
    processes. Try the example step for step and you'll be able to recreate what
    I'm seeing.

    Matt

    "Luke Zhang [MSFT]" wrote:

    > Hello,
    >
    > How did you open a new IE window? Click menu "File\New\Window", or click
    > "Start" button on desktop and "All programs/Internet Explorer"? And will it
    > make difference if you open IE in different way? I agree with Joe about
    > that the session will be shared in a IE process. If you just open a new IE
    > window by
    > cClicking menu "File\New\Window", they will be in same session.
    > Luke Zhang
    > (This posting is provided "AS IS", with no warranties, and confers no
    > rights.)
    >
    >
    Matt Braun, Feb 6, 2006
    #8
  9. If you use something like ieHttpHeaders to watch the cookies going back and
    forth, do the two different browser processes send the same ASP.NET session
    cookie back to the server? That would cause confusion server-side.

    Joe K.


    "Matt Braun" <> wrote in message
    news:...
    >I am opening a new instance of IE by accessing IE on the Start Menu two
    > different times. That's why I'm perplexed by the behavior; I would expect
    > the session to cross browsers in the same process but not those in
    > different
    > processes. Try the example step for step and you'll be able to recreate
    > what
    > I'm seeing.
    >
    > Matt
    >
    > "Luke Zhang [MSFT]" wrote:
    >
    >> Hello,
    >>
    >> How did you open a new IE window? Click menu "File\New\Window", or click
    >> "Start" button on desktop and "All programs/Internet Explorer"? And will
    >> it
    >> make difference if you open IE in different way? I agree with Joe about
    >> that the session will be shared in a IE process. If you just open a new
    >> IE
    >> window by
    >> cClicking menu "File\New\Window", they will be in same session.
    >> Luke Zhang
    >> (This posting is provided "AS IS", with no warranties, and confers no
    >> rights.)
    >>
    >>
    Joe Kaplan \(MVP - ADSI\), Feb 6, 2006
    #9
  10. Matt Braun

    Matt Braun Guest

    I ran the test and gathered the output using ieHTTPHeaders. I don't see
    anything in the output that indicates to me that the same cookie is being
    sent; the AuthTest cookie (which is the name assigned to my cookie in the
    <forms> section of web.config) in both browsers shows a different value.
    Here is what I got from each browser:

    ------------------------
    ** BROWSER #1 **
    ------------------------

    GET /authtest/ HTTP/1.1
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
    application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword,
    */*
    Accept-Language: en-us
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
    1.1.4322; .NET CLR 2.0.50727)
    Host: www.ization.com
    Connection: Keep-Alive

    HTTP/1.1 302 Found
    Transfer-Encoding: chunked
    Date: Wed, 08 Feb 2006 20:57:55 GMT
    Server: Microsoft-IIS/6.0
    X-Powered-By: ASP.NET
    X-AspNet-Version: 2.0.50727
    Location: /authtest/Default.aspx?AspxAutoDetectCookieSupport=1
    Set-Cookie: AspxAutoDetectCookieSupport=1; path=/
    Cache-Control: private
    Content-Type: text/html; charset=utf-8
    --------------: ---

    GET /authtest/Default.aspx?AspxAutoDetectCookieSupport=1 HTTP/1.1
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
    application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword,
    */*
    Accept-Language: en-us
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
    1.1.4322; .NET CLR 2.0.50727)
    Host: www.ization.com
    Connection: Keep-Alive
    Cookie: AspxAutoDetectCookieSupport=1

    HTTP/1.1 200 OK
    Transfer-Encoding: chunked
    Date: Wed, 08 Feb 2006 20:57:55 GMT
    Server: Microsoft-IIS/6.0
    X-Powered-By: ASP.NET
    X-AspNet-Version: 2.0.50727
    Cache-Control: private
    Content-Type: text/html; charset=utf-8
    --------------: ----

    GET /authtest/WebResource.axd?d=C63XMr7x7OWNV1YSnMBzow2&t=632651603188281250
    HTTP/1.1
    Accept: */*
    Referer:
    http://www.ization.com/authtest/Default.aspx?AspxAutoDetectCookieSupport=1
    Accept-Language: en-us
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
    1.1.4322; .NET CLR 2.0.50727)
    Host: www.ization.com
    Connection: Keep-Alive
    Cookie: AspxAutoDetectCookieSupport=1

    HTTP/1.1 200 OK
    Transfer-Encoding: chunked
    Date: Wed, 08 Feb 2006 20:57:55 GMT
    Server: Microsoft-IIS/6.0
    X-Powered-By: ASP.NET
    X-AspNet-Version: 2.0.50727
    Cache-Control: private
    Content-Type: application/x-javascript
    --------------: -----

    GET
    /authtest/WebResource.axd?d=_TCYs_ru9xNrmEJKM_PpFKupSYrCflJhxpUzV3LFrVc1&t=632651603188281250 HTTP/1.1
    Accept: */*
    Referer:
    http://www.ization.com/authtest/Default.aspx?AspxAutoDetectCookieSupport=1
    Accept-Language: en-us
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
    1.1.4322; .NET CLR 2.0.50727)
    Host: www.ization.com
    Connection: Keep-Alive
    Cookie: AspxAutoDetectCookieSupport=1

    HTTP/1.1 200 OK
    Transfer-Encoding: chunked
    Date: Wed, 08 Feb 2006 20:57:56 GMT
    Server: Microsoft-IIS/6.0
    X-Powered-By: ASP.NET
    X-AspNet-Version: 2.0.50727
    Cache-Control: private
    Content-Type: application/x-javascript
    --------------: -----

    POST /authtest/Default.aspx?AspxAutoDetectCookieSupport=1 HTTP/1.1
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
    application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword,
    */*
    Referer:
    http://www.ization.com/authtest/Default.aspx?AspxAutoDetectCookieSupport=1
    Accept-Language: en-us
    Content-Type: application/x-www-form-urlencoded
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
    1.1.4322; .NET CLR 2.0.50727)
    Host: www.ization.com
    Content-Length: 391
    Connection: Keep-Alive
    Cache-Control: no-cache
    Cookie: AspxAutoDetectCookieSupport=1

    __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwULLTE2NDgzMzk5NDlkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBSBMb2dpblZpZXckTG9naW4kTG9naW5JbWFnZUJ1dHRvbsMREQrO8pSJoT%2BiljzbmAbiIMPr&LoginView%24Login%24UserName=Test1&LoginView%24Login%24Password=1234&LoginView%24Login%24LoginButton=Log+In&__EVENTVALIDATION=%2FwEWBALkydGIDQK5i5yWDwLE1tHwCALLjvi6Dt%2B1qQ%2FQnHPIrYSQtruClsx%2BwsBp

    HTTP/1.1 302 Found
    Transfer-Encoding: chunked
    Date: Wed, 08 Feb 2006 20:58:49 GMT
    Server: Microsoft-IIS/6.0
    X-Powered-By: ASP.NET
    X-AspNet-Version: 2.0.50727
    Location: /authtest/default.aspx
    Set-Cookie:
    AuthTest=629F5785D2A6CE101C24E66FCFC350033F1A3BED096EB0CA47AE87709E9CB1E55FCB57A87E6291BBBAE8AFB0675B81776E3CD41F3276B6038C48441F7835ADBBD845A9006823322BDE8832D1A97A520C; path=/; HttpOnly
    Cache-Control: private
    Content-Type: text/html; charset=utf-8
    --------------: ----

    GET /authtest/default.aspx HTTP/1.1
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
    application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword,
    */*
    Referer:
    http://www.ization.com/authtest/Default.aspx?AspxAutoDetectCookieSupport=1
    Accept-Language: en-us
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
    1.1.4322; .NET CLR 2.0.50727)
    Host: www.ization.com
    Connection: Keep-Alive
    Cache-Control: no-cache
    Cookie: AspxAutoDetectCookieSupport=1;
    AuthTest=629F5785D2A6CE101C24E66FCFC350033F1A3BED096EB0CA47AE87709E9CB1E55FCB57A87E6291BBBAE8AFB0675B81776E3CD41F3276B6038C48441F7835ADBBD845A9006823322BDE8832D1A97A520C

    HTTP/1.1 200 OK
    Transfer-Encoding: chunked
    Date: Wed, 08 Feb 2006 20:58:49 GMT
    Server: Microsoft-IIS/6.0
    X-Powered-By: ASP.NET
    X-AspNet-Version: 2.0.50727
    Cache-Control: private
    Content-Type: text/html; charset=utf-8
    --------------: ----

    GET /authtest/contentpage.aspx HTTP/1.1
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
    application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword,
    */*
    Referer: http://www.ization.com/authtest/default.aspx
    Accept-Language: en-us
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
    1.1.4322; .NET CLR 2.0.50727)
    Host: www.ization.com
    Connection: Keep-Alive
    Cookie: AspxAutoDetectCookieSupport=1;
    AuthTest=629F5785D2A6CE101C24E66FCFC350033F1A3BED096EB0CA47AE87709E9CB1E55FCB57A87E6291BBBAE8AFB0675B81776E3CD41F3276B6038C48441F7835ADBBD845A9006823322BDE8832D1A97A520C

    HTTP/1.1 200 OK
    Transfer-Encoding: chunked
    Date: Wed, 08 Feb 2006 20:59:21 GMT
    Server: Microsoft-IIS/6.0
    X-Powered-By: ASP.NET
    X-AspNet-Version: 2.0.50727
    Cache-Control: private
    Content-Type: text/html; charset=utf-8
    --------------: ---


    ------------------------
    ** BROWSER #2 **
    ------------------------

    GET /authtest/ HTTP/1.1
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
    application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword,
    */*
    Accept-Language: en-us
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
    1.1.4322; .NET CLR 2.0.50727)
    Host: www.ization.com
    Connection: Keep-Alive

    HTTP/1.1 302 Found
    Transfer-Encoding: chunked
    Date: Wed, 08 Feb 2006 20:58:13 GMT
    Server: Microsoft-IIS/6.0
    X-Powered-By: ASP.NET
    X-AspNet-Version: 2.0.50727
    Location: /authtest/Default.aspx?AspxAutoDetectCookieSupport=1
    Set-Cookie: AspxAutoDetectCookieSupport=1; path=/
    Cache-Control: private
    Content-Type: text/html; charset=utf-8
    --------------: ---

    GET /authtest/Default.aspx?AspxAutoDetectCookieSupport=1 HTTP/1.1
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
    application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword,
    */*
    Accept-Language: en-us
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
    1.1.4322; .NET CLR 2.0.50727)
    Host: www.ization.com
    Connection: Keep-Alive
    Cookie: AspxAutoDetectCookieSupport=1

    HTTP/1.1 200 OK
    Transfer-Encoding: chunked
    Date: Wed, 08 Feb 2006 20:58:13 GMT
    Server: Microsoft-IIS/6.0
    X-Powered-By: ASP.NET
    X-AspNet-Version: 2.0.50727
    Cache-Control: private
    Content-Type: text/html; charset=utf-8
    --------------: ----

    GET /authtest/WebResource.axd?d=C63XMr7x7OWNV1YSnMBzow2&t=632651603188281250
    HTTP/1.1
    Accept: */*
    Referer:
    http://www.ization.com/authtest/Default.aspx?AspxAutoDetectCookieSupport=1
    Accept-Language: en-us
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
    1.1.4322; .NET CLR 2.0.50727)
    Host: www.ization.com
    Connection: Keep-Alive
    Cookie: AspxAutoDetectCookieSupport=1

    HTTP/1.1 200 OK
    Transfer-Encoding: chunked
    Date: Wed, 08 Feb 2006 20:58:13 GMT
    Server: Microsoft-IIS/6.0
    X-Powered-By: ASP.NET
    X-AspNet-Version: 2.0.50727
    Cache-Control: private
    Content-Type: application/x-javascript
    --------------: -----

    GET
    /authtest/WebResource.axd?d=_TCYs_ru9xNrmEJKM_PpFKupSYrCflJhxpUzV3LFrVc1&t=632651603188281250 HTTP/1.1
    Accept: */*
    Referer:
    http://www.ization.com/authtest/Default.aspx?AspxAutoDetectCookieSupport=1
    Accept-Language: en-us
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
    1.1.4322; .NET CLR 2.0.50727)
    Host: www.ization.com
    Connection: Keep-Alive
    Cookie: AspxAutoDetectCookieSupport=1

    HTTP/1.1 200 OK
    Transfer-Encoding: chunked
    Date: Wed, 08 Feb 2006 20:58:13 GMT
    Server: Microsoft-IIS/6.0
    X-Powered-By: ASP.NET
    X-AspNet-Version: 2.0.50727
    Cache-Control: private
    Content-Type: application/x-javascript
    --------------: -----

    POST /authtest/Default.aspx?AspxAutoDetectCookieSupport=1 HTTP/1.1
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
    application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword,
    */*
    Referer:
    http://www.ization.com/authtest/Default.aspx?AspxAutoDetectCookieSupport=1
    Accept-Language: en-us
    Content-Type: application/x-www-form-urlencoded
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
    1.1.4322; .NET CLR 2.0.50727)
    Host: www.ization.com
    Content-Length: 391
    Connection: Keep-Alive
    Cache-Control: no-cache
    Cookie: AspxAutoDetectCookieSupport=1

    __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwULLTE2NDgzMzk5NDlkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBSBMb2dpblZpZXckTG9naW4kTG9naW5JbWFnZUJ1dHRvbsMREQrO8pSJoT%2BiljzbmAbiIMPr&LoginView%24Login%24UserName=Test2&LoginView%24Login%24Password=1234&LoginView%24Login%24LoginButton=Log+In&__EVENTVALIDATION=%2FwEWBALkydGIDQK5i5yWDwLE1tHwCALLjvi6Dt%2B1qQ%2FQnHPIrYSQtruClsx%2BwsBp

    HTTP/1.1 302 Found
    Transfer-Encoding: chunked
    Date: Wed, 08 Feb 2006 20:59:08 GMT
    Server: Microsoft-IIS/6.0
    X-Powered-By: ASP.NET
    X-AspNet-Version: 2.0.50727
    Location: /authtest/default.aspx
    Set-Cookie:
    AuthTest=B8DEE7C8027848A924187D44C1630458FB916247B9FD51A4EC42051C25A788E1AA025DDBF8BCBBFA28111B0C820F2FAEF2E46B8A06F5D9CB5AA32DEECF23E3D780BA5D70B42399E7818C1396873853CB; path=/; HttpOnly
    Cache-Control: private
    Content-Type: text/html; charset=utf-8
    --------------: ----

    GET /authtest/default.aspx HTTP/1.1
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
    application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword,
    */*
    Referer:
    http://www.ization.com/authtest/Default.aspx?AspxAutoDetectCookieSupport=1
    Accept-Language: en-us
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
    1.1.4322; .NET CLR 2.0.50727)
    Host: www.ization.com
    Connection: Keep-Alive
    Cache-Control: no-cache
    Cookie: AspxAutoDetectCookieSupport=1;
    AuthTest=B8DEE7C8027848A924187D44C1630458FB916247B9FD51A4EC42051C25A788E1AA025DDBF8BCBBFA28111B0C820F2FAEF2E46B8A06F5D9CB5AA32DEECF23E3D780BA5D70B42399E7818C1396873853CB

    HTTP/1.1 200 OK
    Transfer-Encoding: chunked
    Date: Wed, 08 Feb 2006 20:59:08 GMT
    Server: Microsoft-IIS/6.0
    X-Powered-By: ASP.NET
    X-AspNet-Version: 2.0.50727
    Cache-Control: private
    Content-Type: text/html; charset=utf-8
    --------------: ----

    GET /authtest/contentpage.aspx HTTP/1.1
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
    application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword,
    */*
    Referer: http://www.ization.com/authtest/default.aspx
    Accept-Language: en-us
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
    1.1.4322; .NET CLR 2.0.50727)
    Host: www.ization.com
    Connection: Keep-Alive
    Cookie: AspxAutoDetectCookieSupport=1;
    AuthTest=B8DEE7C8027848A924187D44C1630458FB916247B9FD51A4EC42051C25A788E1AA025DDBF8BCBBFA28111B0C820F2FAEF2E46B8A06F5D9CB5AA32DEECF23E3D780BA5D70B42399E7818C1396873853CB

    HTTP/1.1 200 OK
    Transfer-Encoding: chunked
    Date: Wed, 08 Feb 2006 21:00:20 GMT
    Server: Microsoft-IIS/6.0
    X-Powered-By: ASP.NET
    X-AspNet-Version: 2.0.50727
    Cache-Control: private
    Content-Type: text/html; charset=utf-8
    --------------: ---



    "Joe Kaplan (MVP - ADSI)" wrote:

    > If you use something like ieHttpHeaders to watch the cookies going back and
    > forth, do the two different browser processes send the same ASP.NET session
    > cookie back to the server? That would cause confusion server-side.
    >
    > Joe K.
    >
    >
    > "Matt Braun" <> wrote in message
    > news:...
    > >I am opening a new instance of IE by accessing IE on the Start Menu two
    > > different times. That's why I'm perplexed by the behavior; I would expect
    > > the session to cross browsers in the same process but not those in
    > > different
    > > processes. Try the example step for step and you'll be able to recreate
    > > what
    > > I'm seeing.
    > >
    > > Matt
    > >
    > > "Luke Zhang [MSFT]" wrote:
    > >
    > >> Hello,
    > >>
    > >> How did you open a new IE window? Click menu "File\New\Window", or click
    > >> "Start" button on desktop and "All programs/Internet Explorer"? And will
    > >> it
    > >> make difference if you open IE in different way? I agree with Joe about
    > >> that the session will be shared in a IE process. If you just open a new
    > >> IE
    > >> window by
    > >> cClicking menu "File\New\Window", they will be in same session.
    > >> Luke Zhang
    > >> (This posting is provided "AS IS", with no warranties, and confers no
    > >> rights.)
    > >>
    > >>

    >
    >
    >
    Matt Braun, Feb 8, 2006
    #10
  11. Hello,

    You may try to clear the client IE cache first and then tested again to see
    if this will help. Also, you may display the Session.SessionID on the web
    page to see if they are in same session .

    Luke Zhang
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
    Luke Zhang [MSFT], Feb 9, 2006
    #11
  12. Matt Braun

    Matt Braun Guest

    I should have clarified that earlier... I'm *not* using ASP.NET Session State
    so there is no Session Cookie. As a test, I did update my sample locally to
    enable session state and ran through the steps. The result is the same - the
    information gets shared b/t windows - including session state.

    As for clearing the cache, I've done that several times and that has no
    effect.

    Please, try the example as outlined in my earlier post -
    http://www.ization.com/authtest/default.aspx - I've set this up to make it
    simple for anyone to recreate what I'm seeing b/c I understand that this
    isn't normal behavior. Also, feel free to download the sample to examine it
    - http://www.ization.com/authtest/authtest.zip

    "Luke Zhang [MSFT]" wrote:

    > Hello,
    >
    > You may try to clear the client IE cache first and then tested again to see
    > if this will help. Also, you may display the Session.SessionID on the web
    > page to see if they are in same session .
    >
    > Luke Zhang
    > (This posting is provided "AS IS", with no warranties, and confers no
    > rights.)
    >
    >
    Matt Braun, Feb 9, 2006
    #12
  13. Hello,

    I tested your smaple but got correct result. The user account in browser 1
    always be 'test1', it never changed. Therefore, I think it is still a
    client problem. Is there a proxy or firewall for your clients?

    Luke Zhang
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
    Luke Zhang [MSFT], Feb 10, 2006
    #13
  14. Matt Braun

    Matt Braun Guest

    Hi Luke,

    Sorry for the delay; I forgot to have the forum email me with updates. To
    answer your question, no there are no firewalls or proxy servers in the mix.

    To be certain... when you did the test did you use the exact url in both
    browsers and *not* copy the url from one browser to the other? I ask b/c
    some of the people who I've had do testing have done that and there's a bit
    of extra data on the URL in the first window (namely
    AspxAutoDetectCookieSupport=1) which circumvents the problem if that's how
    you initiate the second browser. Just want to make sure we're both testing
    the same thing exactly, as the condition is very specific to recreate this
    but I've yet to walk anyone through it where it doesn't occur (I've tested on
    four diff't Windows PCs on three diff't networks at this point)

    Since my last post I have gathered some additional information. In my
    initial posts I noted that I can recreate this problem on Firefox, Safari,
    and IE for Mac. I've since come to find out that these browsers *always*
    share cookies between instances no matter how you open up the browser. This
    means that that part of my testing does not add any validation to the
    problem. Once I discovered that, however, I decided to baseline IE's
    behavior to make sure it *did* behave like I'd expect on at least one
    website. What I've found is that if I access a tradional ASP application in
    IE that sets a session cookie that the cookie is accessible only to the
    instance of the browser that set it and I can run multiple instances side by
    with diff't cookie values and they maintain their individuality (aka; a
    diff't logged in user). When I hit my test .NET app, however, the info
    consistently manages to jump b/t browsers.

    So, it looks like the behavior that I'm expecting to see is actually a
    feature that only IE supported in the first place. That aside, I can clearly
    see that IE doesn't maintain the behavior when accessing this specific .NET
    example so I can only think that some characteristic of the cookie that is
    being set is affecting the behavior.

    Certainly if you can't recreate the problem then it's going to be hard to
    troubleshoot. I'll entertain anything that might help you out at this point;
    if you'd like to Webex to my computer to see it happening or if there's
    information I can send you, just let me know.

    Thanks again,
    Matt

    "Luke Zhang [MSFT]" wrote:

    > Hello,
    >
    > I tested your smaple but got correct result. The user account in browser 1
    > always be 'test1', it never changed. Therefore, I think it is still a
    > client problem. Is there a proxy or firewall for your clients?
    >
    > Luke Zhang
    > (This posting is provided "AS IS", with no warranties, and confers no
    > rights.)
    >
    >
    Matt Braun, Feb 19, 2006
    #14
  15. Strange enough, I was enble to reproduce the problem on my computer today.
    However, if I click the "Click Here" in browser window 2, there wasn'y such
    a problem. I notice when I came back to the login form, there is no
    "AspxAutoDetectCookieSupport=1" in the url line. What is this mean?

    Luke Zhang
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
    Luke Zhang [MSFT], Feb 20, 2006
    #15
  16. Matt Braun

    Matt Braun Guest

    "AspxAutoDetectCookieSupport=1" is something that the ASP.NET Security
    framework adds to indicate that it has set a cookie to test for cookie
    support; it only occurs once when you first hit a website that is using auto
    detection cookie support but I don't know a whole lot more than that.

    As for you not seeing the behavior quite the same in browser #2, I've found
    that if I click through in one window (be it one or two) and then go to the
    other window, the most recently used window is the user that appears and that
    it will continue to jump b/t windows based on which window I've used most
    recently. Also, however, if you F5 then it magically goes back to the
    correct user for the window.

    I suspect we need one of two groups to be looking at this... either someone
    from the .NET development team with experience with the ASP.NET
    security/login infrastructure and/or the IE development team to determine if
    IE is the culprit.

    It's definitely a quirky issue but I'm glad to hear you've reproduced it.

    Matt

    "Luke Zhang [MSFT]" wrote:

    > Strange enough, I was enble to reproduce the problem on my computer today.
    > However, if I click the "Click Here" in browser window 2, there wasn'y such
    > a problem. I notice when I came back to the login form, there is no
    > "AspxAutoDetectCookieSupport=1" in the url line. What is this mean?
    >
    > Luke Zhang
    > (This posting is provided "AS IS", with no warranties, and confers no
    > rights.)
    >
    >
    Matt Braun, Feb 20, 2006
    #16
  17. I have to say I CANNOT reproduce it again today! Even I have tested it on
    more than two computers. Not sure what happened.

    I notice you use history.back to go back login form from the content form.
    I suspect there is some thing wrong with the "history". For example,
    browser 1 used history of browser 2, it didn't get fresh content from web
    server, just use data stored in IE cache. I suggest you may perform a TCP
    trace on the port 80, to see the data transfering between client and server
    to make sure this.

    Luke Zhang
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
    Luke Zhang [MSFT], Feb 21, 2006
    #17
  18. Matt Braun

    Matt Braun Guest

    I think you've identified the problem. I went back to the application where
    I first experienced this and I find that I can only recreate the issue if I
    use the browser's back/forward buttons to navigate. If I only use the links
    (non-javascript) to navigate then the browsers both accurately maintain
    seperate identities since the requests always go back to the server and
    aren't served from cache.

    Can we get confirmation as to whether this is a design feature or a bug?

    "Luke Zhang [MSFT]" wrote:

    > I have to say I CANNOT reproduce it again today! Even I have tested it on
    > more than two computers. Not sure what happened.
    >
    > I notice you use history.back to go back login form from the content form.
    > I suspect there is some thing wrong with the "history". For example,
    > browser 1 used history of browser 2, it didn't get fresh content from web
    > server, just use data stored in IE cache. I suggest you may perform a TCP
    > trace on the port 80, to see the data transfering between client and server
    > to make sure this.
    >
    > Luke Zhang
    > (This posting is provided "AS IS", with no warranties, and confers no
    > rights.)
    >
    >
    Matt Braun, Feb 21, 2006
    #18
  19. The key point is the issue is not totally reproducable. I have tried a .NET
    2.0 web application with form authentication on my server, that didn't had
    such a problem. You try to change some settings in IE on your side:
    Tools/Internet options/General/Settings/Check for newer versions of stored
    pages, can this help on the issue?

    Luke Zhang
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
    Luke Zhang [MSFT], Feb 22, 2006
    #19
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?Q2hyaXMgTW9oYW4=?=

    Configuring Windows Auth & Forms Auth in Asp.Net

    =?Utf-8?B?Q2hyaXMgTW9oYW4=?=, Apr 28, 2004, in forum: ASP .Net
    Replies:
    0
    Views:
    675
    =?Utf-8?B?Q2hyaXMgTW9oYW4=?=
    Apr 28, 2004
  2. =?Utf-8?B?ZGhucml2ZXJzaWRl?=

    Windows Auth, but Forms Auth for one page?

    =?Utf-8?B?ZGhucml2ZXJzaWRl?=, Jan 8, 2005, in forum: ASP .Net
    Replies:
    1
    Views:
    527
    Elton Wang
    Jan 8, 2005
  3. =?Utf-8?B?QmlsbCBCb3Jn?=

    Endless loop on delete auth cookie/abandon session

    =?Utf-8?B?QmlsbCBCb3Jn?=, Feb 2, 2005, in forum: ASP .Net
    Replies:
    0
    Views:
    667
    =?Utf-8?B?QmlsbCBCb3Jn?=
    Feb 2, 2005
  4. Mark Chai
    Replies:
    1
    Views:
    732
    Christophe Vanfleteren
    Oct 1, 2003
  5. Chris Mohan

    Configuring Windows Auth & Forms Auth in Asp.Net

    Chris Mohan, Apr 28, 2004, in forum: ASP .Net Security
    Replies:
    2
    Views:
    389
    Chris Mohan
    Apr 29, 2004
Loading...

Share This Page