turning cookieless mode false for client browsers that do not accept cookies

Discussion in 'ASP .Net Security' started by rk325, Apr 28, 2005.

  1. rk325

    rk325 Guest

    I have a question about cookies & browser permissions and turning off
    cookies when creating a web site (cookieless mode in web.config).

    I have a web site that of course uses Session variables.
    But we decided to turn off the cookieless mode because the client
    specifically said her browser did not allow cookies. Anyway, when
    searching about it, I found out that by setting cookieless = true the
    session cookie is embedded into the URL sent back & forth to/from the
    client so the server can identify this client. All these happen after
    authentication, when the user has already entered a username and a
    password and is redirected to the appropriate password protected web
    pages.

    A new client is signing in and he claims he cannot logging to the web
    site. He enters his credentials but all she gets back is the general
    search page (not the protected one with more capabilities). I know it
    must be something with his browser configuration, because somehow the
    security in that office has been setup to not allow anyone do anything
    on the internet. I figure, cookies must not be allowed. But if our web
    site uses the cookieless mode, then why can't he logging at all?

    I can login from my desk using this client's credentials and can
    search fine. Since I monitor the activities of this client, all my
    searches under this credentials get recorded.

    Is it anything more to the cookieless mode that does use cookies or
    some type of security in the client's browser that must be set free?

    I guess waht I would like to know exactly is what are the requirements
    for any internet browser to run ASP.NET applications that require
    forms-based authentication.

    Your comments/help/links about this will be very much appreciated.
    rk325, Apr 28, 2005
    #1
    1. Advertising

  2. The problem may be something else if you already use cookieless sessions

    I suspect the most likely issue is that your user has their network
    traffic run through a network proxy server farm. This essentially
    makes all subsequent http requests to your farm look like new sessions
    to your server(s).

    If you ask the user whether they can access their online banking
    account or some other site that requires strict authentication and
    login credentials and they can't, then this is probably it.

    We run into this problem a lot with our business to business
    visitors. The only to get around it in your situation is to
    have them tell their administrators to run their traffic through
    a specific server on the network proxy server farm.

    Their proxy server farm is specifically designed to prevent
    the user from doing what you need them to do.

    --
    2005 Microsoft MVP C#
    Robbe Morris
    http://www.robbemorris.com
    http://www.masterado.net/home/listings.aspx



    "rk325" <> wrote in message
    news:...
    >I have a question about cookies & browser permissions and turning off
    > cookies when creating a web site (cookieless mode in web.config).
    >
    > I have a web site that of course uses Session variables.
    > But we decided to turn off the cookieless mode because the client
    > specifically said her browser did not allow cookies. Anyway, when
    > searching about it, I found out that by setting cookieless = true the
    > session cookie is embedded into the URL sent back & forth to/from the
    > client so the server can identify this client. All these happen after
    > authentication, when the user has already entered a username and a
    > password and is redirected to the appropriate password protected web
    > pages.
    >
    > A new client is signing in and he claims he cannot logging to the web
    > site. He enters his credentials but all she gets back is the general
    > search page (not the protected one with more capabilities). I know it
    > must be something with his browser configuration, because somehow the
    > security in that office has been setup to not allow anyone do anything
    > on the internet. I figure, cookies must not be allowed. But if our web
    > site uses the cookieless mode, then why can't he logging at all?
    >
    > I can login from my desk using this client's credentials and can
    > search fine. Since I monitor the activities of this client, all my
    > searches under this credentials get recorded.
    >
    > Is it anything more to the cookieless mode that does use cookies or
    > some type of security in the client's browser that must be set free?
    >
    > I guess waht I would like to know exactly is what are the requirements
    > for any internet browser to run ASP.NET applications that require
    > forms-based authentication.
    >
    > Your comments/help/links about this will be very much appreciated.
    >
    Robbe Morris [C# MVP], Apr 28, 2005
    #2
    1. Advertising

  3. rk325

    rk325 Guest

    Re: The problem may be something else if you already use cookieless sessions

    Thanks for your reply Robbe.
    I'm not sure I understand very well your explanation, but I was just
    informed by this client that they were able to successfully access the
    web site from another computer in his office. I knew that becasue I saw
    some activity today under these credentials. Does this tell you that
    they have their network traffic run through a network proxy server
    farm?

    Or is there anything else in the browser's configuration of this
    computer that prevents it to login to the web site?

    What do you mean above with "run their traffic through a specific
    server on the network proxy server farm" ?

    What I really need is to get more knowledge about proxy server farms!
    rk325, Apr 28, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Shaul Feldman

    cookieless=false question

    Shaul Feldman, Apr 5, 2004, in forum: ASP .Net
    Replies:
    2
    Views:
    1,964
    Shaul Feldman
    Apr 6, 2004
  2. rk325
    Replies:
    2
    Views:
    457
    rk325
    Apr 28, 2005
  3. Replies:
    2
    Views:
    3,255
    Ravi Singh (UCSD)
    May 10, 2006
  4. Replies:
    1
    Views:
    467
    bruce barker
    Mar 7, 2007
  5. _Who
    Replies:
    7
    Views:
    2,635
Loading...

Share This Page