I am a bit confused on how ASP.NET session works with my site, when a user opens up the site in multiple browsers, and/or multiple tabs.
I see that after logging in with IE, i can open a new tab and not have to log in, and that if I log out of one tab, the other one will redirect to login after I try to do something.
I also notice that if I log in with IE, i still have to log in with FF.
My question - are session data shared between all of these sessions?
Are there any concerns I need to take into account here?
Thanks!!!
Sessions are cookie-based; so they will not be shared by different browsers (eg. Firefox vs IE), but they will be shared between instances of the same browser (eg. multiple tabs/windows of IE).
In your case, the login (authentication) information is stored in a cookie. Therefore, if you login using IE then the cookie is only for IE and you would have to login again with a different browser or when the cookie expires.
You have to log in with each browser so they can each create/write the login cookie. Once they have cookie you shouldn't have to login until it expires or you log out, which should include additional tabs.
Related
We have an application which has two user types. One of them is an administrator and the other one is a client. We are using AspNet identity to authenticate the user and issue a cookie.
However, there is a scenario where the administrator and the user share the same browser. When the client logs in, the cookie gets overridden and when coming back to the administrator pages we lose authentication. The same happens the other way around (client is logged in first, then admin).
Is there a way to support multiple authenticated users at the same time on the same browser?
Greetings.
Luis.
No, the browser has no understanding of any users. You set cookies and the browser sends back those cookies. The application then receives and checks those cookies to figure out the current user on the next request;
There's no way for the browser to know what cookies it should send back and there's no way for your server to know what the right user is other than reading those cookies. Why do you want 2 different user types sharing the same exact browser window anyway? That defeats the entire security model.
If 2 people must share the same device, then most browsers today support private windows or separate 'profiles' so you can have completely separate preferences and sessions without sharing any data. Here's a link to Chrome's profiles feature: https://support.google.com/chrome/answer/2364824
Scenario:
I have two web applications A and B. A integrates application B in itself via iframe. Application A authenticates a user from B and maintains auth token in a session variable. Now, when application B is rendered on iframe on A and a login page appears, I submit the form and redirect to login but session becomes null. Remember Application A creates a session before redirecting to Login page.
This issue appears in case of IE11 only and when I set its privacy settings -> always allow session cookies on it works.... strange! isn't it.
Check override automatic cookies and then check Always allow session cookies in IE11 and its works fine. However, the same thing works in IE10 without any issue. Any help regarding this.I am already looking into other questions with following links
IE11 does not send session cookie when a link targeting a new tab is clicked (on first request)
IE 11 first-party session cookies being lost in iframe
Does ie11 ignore cookies from site that uses the server's ip as domain?
IE11 does not send session cookie when a link targeting a new tab is clicked (on first request)
Problem solved. Issue was with the IE11 privacy policy as it was destroying session cookies for iframe. As I mentioned above it was working by tweaking its privacy settings.
Set P3P policy on IIS for your hosting site and issue is fixed, now this will ignore IE11 privacy policies
I am fairly new with developing in ASP.Net and I've searched high and low for a resolution to this, to no avail. I am using Forms Authentication to authenticate users and when I login with user A, I abandon the current session, generate a new session cookie/id and redirect from to my content page and everything works as planned. However, when I open a new browser window and navigate to the login screen, thus starting a new session, the authentication cookie for user A is automatically passed to this session and is part of the request cookies collection. Even worse, when I actually log in as user B and get a new authentication cookie then refresh the browser window for session A, it now has the authentication cookie of user B.
I have no idea why this is happening. I thought the browser (IE9) was caching the authentication cookie because the response-header collection is set to cache-control "private" even though I specifically set the Response.Cache.SetCacheability("no-cache") in my code-behind for all pages. Then I was thinking it could be a threading issue.
Any insight into why this is happening is greatly appreciated, Thanks.
Try different Browsers like Chrome and IE. Because browser share same cookie and temp file even opened in new windows. Above scenario will occur if you try with gmail.com or live.com.
Check your web.config files for session settings.
Check out the following link:
http://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.enablecrossappredirects.aspx
I have an application in ASP.Net that use cookies for store some information.I want to open a form only first time when a user enter into the site.I created a cookie and I wrote something in that .The next time I enter the site, I read this information,if something is wrote in there that means that it's not necessary to open the form again.It works fine if I use the same browser, but if first I open with Internet Explorer the site ,I make the cookie , wrote something in it , I close the browser and then I open site with Mozzila Firefox the application can't see the cookie that i created with Internet Exlorer(the read cookie is null) .I create the cookie with Mozilla , i open application with Chrome , this also doesn't see the cookie.If I wrote something in the cookie with one browser , I can read this value only if i use the same browser. What should I do to see cookie content with all the browsers, to can read the cookie content with all browsers?
No! You can't and Check this question Can two different browser share on cookie?
That is not possible with regular cookies, what I know of. Each browser store and keep track of their own cookies, and does not share them.
I haven't tried it myself, but there are examples where Flash cookies and JavaScript are being used to create something like a cross-browser cookie.
We use FormAuthentication to manage logins and I have a case where a customer complains where he can login from one computer but to from another.
I can see in my logs that his authentican is successfull but he gets bumped back to the login page. I can reproduce the symptons by disabling cookies so I asked the customer to test if cookies are enabled on http://www.tempesttech.com/cookies/cookietest1.asp, but this came out positive.
What have I missed? Is there any antivirus/security software that can mess up (ASP.NET) cookies?
The user is using IE7 and claims to have F-secure installed.
First ask from your customer to try to login using some other browser like google chrome.
If with other browser works, then ask from your customer to clear the cookies on his browser, if he can clear only your page cookies, then you must be check if you using too much cookies, or too big ones, and create a diferent shecma.
You maybe have set to store/cache the roles on cookie - this make cookie too big ones, and big cookies create problems.