trouble with Forms authentication and new windows opened with java script

[Daniel Walzenbach]

Hi,

I have an application using "Forms authentication".
Everything works perfectly well except when I try to open
a new page with java script like the following:

<script language='javascript'>window.open
(myPage.aspx','','Fullscreen=no; Scrollbars=yes;
Menubar=no; Locationbar=no; Resizable=yes; Status=no;')
</script>

I now get to see the login page. Does anybody know how to
prevent this behaviour?

Thank you a lot!
Daniel Walzenbach

 

[John Saunders]

Hi,

I have an application using "Forms authentication".
Everything works perfectly well except when I try to open
a new page with java script like the following:

<script language='javascript'>window.open
(myPage.aspx','','Fullscreen=no; Scrollbars=yes;
Menubar=no; Locationbar=no; Resizable=yes; Status=no;')
</script>

I now get to see the login page. Does anybody know how to
prevent this behaviour?

I haven't tried this myself, but I would think that if the page you're
opening is in the same domain as the site you authenticated to, that there
would be no problem.

The question comes down to whether the authentication cookie is sent to the
server by the second page. If it wasn't sent, it would most likely be
because of different domains. For instance, if you authenticated at
http://area.company.com, and you're trying to open a page at
http://somewhereelse.company.com, it should succeed if the authentication
cookie was in domain "company.com", but not if it was in domain
"area.company.com".

As a diagnostic, put a link to your "myPage.aspx" on the page and click the
link and see what happens.

Also, what browser are you using?

 

[george d lake]

2 things....
One... what's the timeout on your session? This could cause this to happen.
I had some thing like this happen with iframes. I would get the login in the
iframe that timedout.

Let me look for the JavaScript that I used to fix it.

 

[george d lake]

here is the Java script....


In the .aspx add at the beginning of the page (somewhere in the header)
<%If Request("var") <> "" Then%>
<script language="javascript">
top.location.href = 'login.aspx';
</script>
<%End If%>


What this does is check the session var "var" if it is not set (session time
out) it will load the login screen in the top frame. you might have to
change it to parent.location.href or something down that line....

 

[Daniel Walzenbach]

Thank you John and George,



Unfortunately neither of your assumptions is right. I don't navigate across
domain borders neither should my session be timed out. It is not that it
happens once in a while but ever. The page I open using Java Script is
located in a sub-directory of the same application. I am using Microsoft IE
6 SP1.



Any other suggestions? If you want I can assemble a small project containing
the two pages and up it here.



Greetings

Daniel Walzenbach

 

[MSFT]

Hi Daniel,

Since the "mypage.aspx" is in a sub directory of your web application, is
there also a "web.config" in the sub directory? And, when you perform the
form authentication, did you change any default settings for cookies?

Additionlly, have you checked if a link will work as John suggested?

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Daniel Walzenbach]

Hello Luke,



Thank you for your help but I solved my problem this afternoon. In fact
George was right. My session was lost. Not due to a timeout but to the fact
that I not even had an HTML file. Mea culpa. I was directly streaming out a
pdf file. I now placed my page in an iFrame and the world is good again.



Thank you everybody for your help!

Daniel