Re: Forms Auth Problems.

From: Ken Schaefer (kenREMOVE_at_THISadOpenStatic.com)
Date: 04/24/04 

Date: Sat, 24 Apr 2004 16:11:14 +1000

Your auth cookie can two options:
a) it has no expiry date, in which case it is held in the browser's memory,
and when the browser process is closed (all windows are closed), then the
cookie is discarded.
b) it has an expiry date (a persistant cookie), which is then written to
disk, and returned to the server if the browser returns to that site (even
if it has been closed)

The server does not know when a user closes their browser - the browser
doesn't send anything to every server that it's visited telling the server
that the browser is being closed (that would be a huge privacy problem). So
the server keeps the session going until it eventually timesout. However, if
you:
a) have a persistant cookie
b) just close your browser
c) open the browser again and point it to the side
then
a) the session is still going on the server
b) the browser still has the cookie
so you will be let in.

You could use some client-side javascript code that pops-up a new window
when the user attempts to close their browser. This new window would call a
special page on the server that abandons the user's session. However pop-up
blockers will block this from ever happening.

Cheers
Ken

"Ed Staffin" <anonymous@discussions.microsoft.com> wrote in message
news:338b01c4292c$315b1890$a401280a@phx.gbl...
: Hi, I am using the fairly standard code below to do my
: forms authentication ticket and redirect, however, I am
: finding that once successfully logged in, I don't get
: another log after I close the browser. Is there something
: I need to do to let it know that if the browser closes
: they should be logged out?
: Thanks ... Ed
:
:
: Dim tkt As FormsAuthenticationTicket
: Dim cookiestr As String
: Dim ck As HttpCookie
:
: tkt = New FormsAuthenticationTicket(1, txtUserName.Text,
: DateTime.Now(), DateTime.Now.AddMinutes(20),
: True, "")
: cookiestr = FormsAuthentication.Encrypt(tkt)
: ck = New HttpCookie( _
: FormsAuthentication.FormsCookieName(), cookiestr)
: ck.Expires = tkt.Expiration
: ck.Path = FormsAuthentication.FormsCookiePath()
: Response.Cookies.Add(ck)
: Resonse.Redirect(FormsAuthentication.GetRedirectUrl _
: (txtUserName.Text, False))
:

Relevant Pages

  • Re: deleting cookies and local browser time versus server time
    ... Our server ... is in a different time zone than the browser I'm developing on. ... How can I test cookie expiration with that? ...
    (comp.lang.php)
  • Re: Bypass Authentication
    ... "Joe Kaplan" wrote: ... authentication cookie back to the Server at Location 3 from Location 1. ... the Third Party application to use this program to launch the browser. ... Assuming that the server at location 3 requires a cookie to be sent to it ...
    (microsoft.public.dotnet.security)
  • Re: Bypass Authentication
    ... Joe Kaplan-MS MVP Directory Services Programming ... authentication cookie back to the Server at Location 3 from Location 1. ... the Third Party application to use this program to launch the browser. ... Assuming that the server at location 3 requires a cookie to be sent to it ...
    (microsoft.public.dotnet.security)
  • Re: password questions
    ... What's usually done in the PHP world is that the first time a browser ... goes to a site, it has no cookie, and says so when asked for one. ... server then asks for username and password, ... A cracker makes a request, trying to masquerade as the authenticated ...
    (comp.lang.java.programmer)
  • RE: forms authentication cookie problem
    ... authentication cookie. ... what's going on on the server. ... >324488 Forms Authentication and View State Fail ... >characters, the browser will still request the page, but ...
    (microsoft.public.dotnet.framework.aspnet.security)