Forms Authentication and Authentication Cookie

Discussion in 'ASP .Net Security' started by rgouge, Jun 20, 2005.

  1. rgouge

    rgouge Guest

    I'm working on an ASP.NET application (ver 1.1) .. using forms
    authentication. The problem I'm having is managing the cookie. I'm not
    using a persistenting the authentication cookie .. have a sliding expiration
    of 10min that I update every time the page is posted to the server. I am
    having two issues ..

    1. I end up with multiple cookies of the same name in the cookie
    collection

    2. If I have a web page open initially and redirect from a link on that
    page to the application I am working on in a new window .. they both share
    the same session id .. and cookie collection. If I authenticate a user now
    in my web application and the user then closes the application without
    logging out (leaving the window containing a link to my application open).
    and then the user clicks on the link to redirect back to the application to
    be authenitcated seeing that the cookie and session are the same .. the user
    skips the login page and is directed to the requested URL in the
    application.

    Any feedback would be appreciated.
     
    rgouge, Jun 20, 2005
    #1
    1. Advertisements

  2. Hello rgouge,

    that's because IE shares cookies in the same process - and that's what happens
    if you are doing something like target=_blank or similar.

    I guess you could use some client javascript magic to clear the client side
    cookies before redirecting - if it is some kind of portal page from which
    the app is started.
     
    Dominick Baier [DevelopMentor], Jun 20, 2005
    #2
    1. Advertisements

  3. rgouge

    rgouge Guest

    Thanks for the reply Dominick,

    I am developing a web application to be used by others and have no
    control over how that client accesses this application. I was thinking of
    using the urlreferrer.uri and compare it with the url.uri to weed out
    requests originating from outside the application. Still working on this.

    My other question .. when modifying the expiration time of the
    authentication ticket in the authentication cookie (not sure if this is the
    best approach) on a post back .. I tend to end up with several cookies with
    the same name (the name of the authentication cookie) .. is this typical ..
    its not my intention.
     
    rgouge, Jun 20, 2005
    #3
  4. Hello rgouge,

    you don't have to set the time on every request - just configure FormsAuth
    for sliding expiration and this will do it for you automatically.
     
    Dominick Baier [DevelopMentor], Jun 20, 2005
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.