Re: Cookies question

From: Dominick Baier [DevelopMentor] (dbaier_at_pleasepleasenospamdevelop.com)
Date: 03/23/05 

Date: Wed, 23 Mar 2005 02:32:22 -0800

Hello Joe,

cookie storage depends - if it is a temporary cookie it is only store in
browser memory and delete when you shut down the process - persistent cookies
are stored in the user profile.

So when do you deal with persistent and when with temporary...

a cookie that has an expiration time in the future is persisten until that
point of time.

In FormsAuthentication - when you use RedirectFromLoginPage - the last parameter
is a boolean - if true the cookie is persistent (some silly timespan like
50 years in the future), if false you will end up with a temp cookie.

When you use persistent cookies, the behaviour with the 2nd browser window
is like you described it

Always use temp cookies - you don't want digital ids of your webapp stored
on a clients machine, do you?

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> I use forms authentication for my app.
> After I log in successfully each request by the browser contains 2
> cookies.
> One for the SessionID and one for forms authentication which contains
> my
> ticket.
> Can someone please explain where these cookies are stored? I think it
> is in memory in the browser but am not sure.
>
> Also, some users have stated that they can do the following:
> 1. Start a browser, hit the site and log in.
> 2. Start a 2nd browser.
> 3. Hit the site.
> 4. BYPASS the log in page and go directly to the Home page.
> They claim they can also close all browser sessions, start a new one
> and still Bypass the log in page.
>
> How is this possible?
> Why would the 2nd browser session have the cookies noted above?
> I assume once the authenctication ticket expires in 30 minutes of
> inactivity that neither scenario would be possible. They would have to
> re-log in first.
>
> Thanks for any info on this.
>

Relevant Pages

  • Re: How do we get there from here?
    ... In order to design using that ... > really focused on at this stage is browser enabled applications. ... This is a submission to the server, ... > Don't know much about cookies. ...
    (comp.databases.pick)
  • Re: IP / Proxy / Anonymous Browsing Question...
    ... Browser Security ... Cookies can act as ... of which can be programed to access the Windows System or your ... bypass any firewall since messaging is web page to web page. ...
    (comp.security.misc)
  • Re: browsing the web privately - how??
    ... Browser Security ... Cookies can act as ... of which can be programed to access the Windows System or your ... bypass any firewall since messaging is web page to web page. ...
    (comp.security.misc)
  • Re: Attempt to de-mystify AJAX
    ... "Hyperlinks" always open a new browser window. ... What I meant is that the server, from its state tables, can easily determine ... >>> around cookies and JS, but it seems to be tough. ... >>> 1) use cookies to maintain the session key and hope that the expiration ...
    (comp.databases.pick)
  • Re: Question on photo file
    ... as a browser would have to be altered I should think. ... probably when in fact it would be just people who were wanting to protect ... fail to see why someone would want to completely abolish cookies when they ... that a statement of society or a statement of the internet culture? ...
    (microsoft.public.windowsxp.general)
Quantcast