Tabbed Browsing and SessionID

[GaryDean]

Bringing up a new browser instance when using an asp.net application using
forms authentication, of course, initiates a new session with a new
sessionID and requires authentication again.

But, I see that browsing to that same asp.net application using a new tab in
ie7 or firefox uses the same SessionID and does not require separate
authentication. This means that the same session can be on two different
pages at the same time.

Is there any way to prevent this from happening?

 

[Walter Wang [MSFT]]

Hi Gary,

A browser maintains one session to one website in one process, which means
in the same process you only need to login once and the browser will
automatically send a cookie (if cookie is enabled) to tell the web server
who you are and the web server knows you've already authenticated. Opening
a tab in the browser is just like right-clicking on a hyperlink and select
"Open in New Window" for non-tabbed browser, this is still in the same
browser process and therefore the same session is used.

For the case of "bringing up a new browser instance", it's a new process
and you're required to login again and create a new session.

Therefore the answer to your question is no, it's not possible to create a
new session in a new tab in the browser.

Regards,
Walter Wang ([email protected], remove 'online.')
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Walter Wang [MSFT]]

Hi Gary,

Have you seen my previous reply? Please feel free to let me know if you
have any concern. Thanks.


Regards,
Walter Wang ([email protected], remove 'online.')
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[GaryDean]

You say that another tab on the browser will be the same sessionID. But if
I set my app to cookieless where the sessionID shows in the URL, another tab
shows a different sessionID. What am I misunderstanding?

 

[Walter Wang [MSFT]]

Hi Gary,

Yes my previous statement is based on cookie-enabled session. In that case,
the cookie will be automatically sent to the server by the browser as long
as it's the same process. However, for cookieless session, when you open a
new window in the same browser process and enter the URL to the web site
(without a session id), a new session will be created.


Regards,
Walter Wang ([email protected], remove 'online.')
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.