Re: Forms Authentication and Differences Between Windows Explorer and IE
From: Ken Schaefer (kenREMOVE_at_THISadOpenStatic.com)
Date: 04/06/04
- Previous message: Ken Schaefer: "Re: Problems! WinNT Client -> WinXP Web Server -> Win2000 File Server"
- In reply to: Kevin Watkins: "Forms Authentication and Differences Between Windows Explorer and IE"
- Next in thread: Kevin Watkins: "Re: Forms Authentication and Differences Between Windows Explorer and IE"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 6 Apr 2004 14:56:11 +1000
See reply to the post that you posted in the www.asp.net forums
HTH
Cheers
Ken
"Kevin Watkins" <mrkwatkins@hotmail.com> wrote in message
news:2ec204be.0404051028.1275a59b@posting.google.com...
: Hi,
:
: Hoping someone can help me. I have noticed different behaviour between
: a website launched from Windows explorer and Internet Explorer. I have
: set up a simple test application to demonstrate this problem:
:
: 1. Create a new ASP.NET application in VS.NET at
: http://localhost/test.
: 2. Added a default form, Default.aspx, that has a simple button that
: does the FormsAuthentication stuff:
:
: <%@ Page language="c#" Codebehind="Default.aspx.cs"
: AutoEventWireup="false" Inherits="LoginTest._Default" %>
: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
: <HTML>
: <HEAD>
: <title>Default</title>
: </HEAD>
: <body>
: <form id="Form1" method="post" runat="server">
: <asp:Button id="Button1" runat="server" Text="Set
: Session"></asp:Button>
: <br/>
: <br/>
: <asp:Label id="Label1" Runat="server"></asp:Label>
: </form>
: </body>
: </HTML>
:
: public class _Default : System.Web.UI.Page
: {
: protected System.Web.UI.WebControls.Label Label1;
: protected System.Web.UI.WebControls.Button Button1;
:
: #region Web Form Designer generated code
: override protected void OnInit(EventArgs e)
: {
: InitializeComponent();
: base.OnInit(e);
: }
:
: private void InitializeComponent()
: {
: this.Button1.Click += new System.EventHandler(this.Button1_Click);
: }
: #endregion
: private void Button1_Click(object sender, System.EventArgs e)
: {
: FormsAuthentication.RedirectFromLoginPage("user", false);
: }
: }
:
: 2. Added a second form that does nothing:
:
: <%@ Page language="c#" Codebehind="NeedsAuth.aspx.cs"
: AutoEventWireup="false" Inherits="LoginTest.NeedsAuth" %>
: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
: <HTML>
: <HEAD>
: <title>NeedsAuth</title>
: </HEAD>
: <body>
: <form id="Form1" method="post" runat="server">
: Hello!
: </form>
: </body>
: </HTML>
:
: public class NeedsAuth : System.Web.UI.Page
: {
: protected System.Web.UI.WebControls.Label LoginLabel;
:
: private void Page_Load(object sender, System.EventArgs e)
: {
: }
: #region Web Form Designer generated code
: override protected void OnInit(EventArgs e)
: {
: InitializeComponent();
: base.OnInit(e);
: }
: private void InitializeComponent()
: {
: this.Load += new System.EventHandler(this.Page_Load);
: }
: #endregion
: }
:
: 3. Changed my web.config file to the following:
:
: <?xml version="1.0" encoding="utf-8" ?>
: <configuration>
: <system.web>
: <compilation defaultLanguage="c#" debug="true"/>
: <customErrors mode="RemoteOnly"/>
: <authentication mode="Forms">
: <forms name="TestAuth" loginUrl="Default.aspx" protection="All"
: timeout="30" slidingExpiration="true"/>
: </authentication>
: <authorization>
: <deny users="?"/>
: </authorization>
: <trace enabled="false" requestLimit="10" pageOutput="false"
: traceMode="SortByTime" localOnly="true"/>
: <sessionState mode="InProc" cookieless="false" timeout="40"/>
: <globalization requestEncoding="utf-8" responseEncoding="utf-8" />
: </system.web>
: </configuration>
:
: Now, if I load up IE by clicking on the IE icon in my desktop, then
: type in http://localhost/test/NeedsAuth.aspx, it redirects me to
: Default.aspx. I click on the button and it redirects me back to
: NeedsAuth.aspx as it should. Now if I shut down IE, then load it up
: again by clicking on the IE icon and go to
: http://localhost/test/NeedsAuth.aspx it redirected me to Default.aspx
: and I have to login again as expected.
:
: Everything fine so far. However, if I try this via Windows explorer I
: get different behaviour. If I double click on 'My Computer' and enter
: http://localhost/test/NeedsAuth.aspx into the address bar, it
: redirects me to Default.aspx. I click on the button and it redirects
: me back to NeedsAuth.aspx as it should. Now if I close the window,
: then double click on 'My Computer' and enter
: http://localhost/test/NeedsAuth.aspx again, it does not redirect me to
: Default.aspx and I am fully logged in.
:
: Similar tests with Page.Session and no authentication indicate that it
: also has the same behaviour.
:
: I presume this is to do with the way Windows explorer runs IE. Get get
: an IExplore process in task manager if I load IE via its icon, but I
: do not if I enter the URL into My Computer.
:
: This is obviously giving me a major security hole; a user could load
: up my application, forget to log out properly, (Or have their browser
: crash) then another user could come along and enter the URL and be
: fully logged in.
:
: I've tried lots of things to get around this, but cannot solve the
: problem. Currently I'm considering using a <body unload=> JavaScript
: method to post somewhere that does the FormsAuthentication.SignOut(),
: but obviously this isn't great and wouldn't be any use if the browser
: crash. I've tried searching in these forums and in various newsgroups
: without any luck.
:
: Hopefully its me being a muppet and I've missed something stupid. If
: anyone can help I'd be really grateful!
:
: Cheers,
:
: Kev
- Previous message: Ken Schaefer: "Re: Problems! WinNT Client -> WinXP Web Server -> Win2000 File Server"
- In reply to: Kevin Watkins: "Forms Authentication and Differences Between Windows Explorer and IE"
- Next in thread: Kevin Watkins: "Re: Forms Authentication and Differences Between Windows Explorer and IE"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
