Is cookieless=AutoDetect in forms authentication broken? - asp.net

I tried this by disabling cookies in my browser and setting cookieless="AutoDetect" for both the forms element and the sessionState element. however this just doesn't work (what i mean by work is if cookies are enable then the url is unchanged, however if cookies are disabled then the sessionid is added to the querystring as per msdn docs). the only way i can get this to work is if i set it to UseUri which will add the sessionid to the url path regardless of cookies being enabled or not.

It isn't broken, but the browser doesn' report that it has cookies disabled back to the browser.
The browser will report what browser it is, and ASP.NET keeps a list of browsers and browser capabilities. This information is used to determine wether or not to use cookieless when using AutoDetect

From the sessionState page in MSDN:
If the browser or device supports cookies, but cookies are currently disabled, cookies are still used by the requesting feature.

If you're testing from your dev machine have you tried clearing cookies from your browser? There may already be a cookie in your browser that was put there before you disabled cookies.

Related

Form does not submit in IE11 when privacy is set to 'always allow session cookies' unchecked, but works in IE10 and others

Scenario:
I have two web applications A and B. A integrates application B in itself via iframe. Application A authenticates a user from B and maintains auth token in a session variable. Now, when application B is rendered on iframe on A and a login page appears, I submit the form and redirect to login but session becomes null. Remember Application A creates a session before redirecting to Login page.
This issue appears in case of IE11 only and when I set its privacy settings -> always allow session cookies on it works.... strange! isn't it.
Check override automatic cookies and then check Always allow session cookies in IE11 and its works fine. However, the same thing works in IE10 without any issue. Any help regarding this.I am already looking into other questions with following links
IE11 does not send session cookie when a link targeting a new tab is clicked (on first request)
IE 11 first-party session cookies being lost in iframe
Does ie11 ignore cookies from site that uses the server's ip as domain?
IE11 does not send session cookie when a link targeting a new tab is clicked (on first request)
Problem solved. Issue was with the IE11 privacy policy as it was destroying session cookies for iframe. As I mentioned above it was working by tweaking its privacy settings.
Set P3P policy on IIS for your hosting site and issue is fixed, now this will ignore IE11 privacy policies

Authentication cookie is not passed after login using IE10

I have an asp.net website located on some server.
I try to login the website using IE10 compatibility mode, I fill user name and password, and when I press on the "Login" button, nothing happens. I get the login page again.
I checked with wireshark and found out that the cookie is not passed when redirecting from the login page.
I tried the workarounds from this post:
IE10 User-Agent causes ASP.Net to not send back Set-Cookie (IE10 not setting cookies)
I checked that the date and time of the server are equal to the date and time of the browser, and my server name doesn't contain non alphanumeric characters.
I tried changing the browser settings, restore to default and I tried with or without compatibility mode, but nothing helps!
(in chrome everything works fine and the cookie is passed).
Does someone have an idea about that?
Still cannot post comments...
You can always use cookieless="AutoDetect" to use Uri instead of cookies if it cannot set cookie. Some user may even deny all cookies, that is why all advertisements use only Uri mode.
Though it might result in share of Uri (easier than to share cookies) and if a user shouldn't be allowed to login from different places at once you'll need to revise your login logic.

Check browser cookie disabled

We are using an Http Module. In the http module we are setting a cookie. After that in the page we are trying to take the value from cookie.
So when we are requesting a page, first the code inside http module will execute and it will set the cookie and then the value can be taken from cookie in the page load of the page.
But while debugging the code in Visual studio, we found that if browser cookie is disabled, then in the httpModule it will try to set the cookie and after that in the page load if we check the request object, it is showing the cookie set from the httpModule.
Is this a correct behavior? I want to know whether cookie is disabled in this case. If it is diabled i want to take another value from db. But it always showing the value in cookie.
Can anyone please suggest a method to get whether cookie is disabled or not.
We are using the httpModule in an Umbraco site.
I would write a cookie and then do a redirect to check if that cookie exists if it does then you know cookies are enabled if not then cookies are not enabled. Here is a good example.
http://www.primaryobjects.com/CMS/Article54.aspx

Cookies on multiple browsers in ASP.Net

I have an application in ASP.Net that use cookies for store some information.I want to open a form only first time when a user enter into the site.I created a cookie and I wrote something in that .The next time I enter the site, I read this information,if something is wrote in there that means that it's not necessary to open the form again.It works fine if I use the same browser, but if first I open with Internet Explorer the site ,I make the cookie , wrote something in it , I close the browser and then I open site with Mozzila Firefox the application can't see the cookie that i created with Internet Exlorer(the read cookie is null) .I create the cookie with Mozilla , i open application with Chrome , this also doesn't see the cookie.If I wrote something in the cookie with one browser , I can read this value only if i use the same browser. What should I do to see cookie content with all the browsers, to can read the cookie content with all browsers?
No! You can't and Check this question Can two different browser share on cookie?
That is not possible with regular cookies, what I know of. Each browser store and keep track of their own cookies, and does not share them.
I haven't tried it myself, but there are examples where Flash cookies and JavaScript are being used to create something like a cross-browser cookie.

ASP.Net session state not available on another webpage

I'm designing a single page web application with all the action happening on default.aspx. I store the user's user id in Session after he logs on. I use SWFUpload in default.aspx to upload files to upload.aspx.
When upload.aspx receives a file, it checks HttpContext.Current.Session for the user's id. This used to work, but since recently HttpContext.Current.Session doesn't have any values regarding my session. I must have changed something along the line but I have no idea what.
Stranger still, it still works with IE, but not with either Firefox or Chrome. I also read something about Flash in Firefox mistakenly uploading IE's session cookie (I'm paraphrasing).
How do I retrieve the Session data from the upload page (Firefox and Chrome)?
This is a known issue with Flash and cookies on non-IE browsers. Here's a post over at swfupload.org that discusses a workaround, and 'just the code' over at snipplr. Basically Flash does not send your cookies (or sends IE cookies) on Firefox and Chrome, etc., so your SessionID is not sent with your upload.aspx request in those browsers. In IE it will work, though.
The workaround above is to send the SessionID and Authentication ticket in the post or url, and then in the Global.asax intercept the request and recreate the correct cookies before ASP.NET looks for them in order to retrieve authentication or session information.

Resources