Re: Cookies question
From: Joe Fallon (jfallon1_at_nospamtwcny.rr.com)
Date: 03/23/05
- Next message: Robert Megee: "reading nfs mounted files on a 2003 server"
- Previous message: Roy Chastain: "Need the equivalent of CryptGenKey for PUBLIC/PRIVATE pairs"
- In reply to: Dominick Baier [DevelopMentor]: "Re: Cookies question"
- Next in thread: Dominick Baier [DevelopMentor]: "Re: Cookies question"
- Reply: Dominick Baier [DevelopMentor]: "Re: Cookies question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 23 Mar 2005 13:28:18 -0500
Dominick,
Thanks for the response.
I use temp cookies because I use code like this:
Web.Security.FormsAuthentication.RedirectFromLoginPage(UID, False)
I think it is related to spawning a 2nd browser session from the first by
using Ctrl-N.
In this case the 2nd browser instance "inherits" the in memory cookies from
the first.
The users were using a link to an Intranet site - maybe this link had the
same effect by spawning a 2nd instance from the first somehow.
I guess what I don't understand is how they can close all browser instances
and then click this link and still bypass the log in page. If the cookie is
temporary and in memory, isn't it destroyed when browser is closed?
Or is it really stored on disk somewhere until it expires? (I could not find
it and a re-boot makes it disappear.)
Thanks for any more input.
-- Joe Fallon "Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com> wrote in message news:169758632471743413041942@news.microsoft.com... > Hello Joe, > > cookie storage depends - if it is a temporary cookie it is only store in > browser memory and delete when you shut down the process - persistent cookies > are stored in the user profile. > > So when do you deal with persistent and when with temporary... > > a cookie that has an expiration time in the future is persisten until that > point of time. > > In FormsAuthentication - when you use RedirectFromLoginPage - the last parameter > is a boolean - if true the cookie is persistent (some silly timespan like > 50 years in the future), if false you will end up with a temp cookie. > > When you use persistent cookies, the behaviour with the 2nd browser window > is like you described it > > Always use temp cookies - you don't want digital ids of your webapp stored > on a clients machine, do you? > > --------------------------------------- > Dominick Baier - DevelopMentor > http://www.leastprivilege.com > > > I use forms authentication for my app. > > After I log in successfully each request by the browser contains 2 > > cookies. > > One for the SessionID and one for forms authentication which contains > > my > > ticket. > > Can someone please explain where these cookies are stored? I think it > > is in memory in the browser but am not sure. > > > > Also, some users have stated that they can do the following: > > 1. Start a browser, hit the site and log in. > > 2. Start a 2nd browser. > > 3. Hit the site. > > 4. BYPASS the log in page and go directly to the Home page. > > They claim they can also close all browser sessions, start a new one > > and still Bypass the log in page. > > > > How is this possible? > > Why would the 2nd browser session have the cookies noted above? > > I assume once the authenctication ticket expires in 30 minutes of > > inactivity that neither scenario would be possible. They would have to > > re-log in first. > > > > Thanks for any info on this. > > > > >
- Next message: Robert Megee: "reading nfs mounted files on a 2003 server"
- Previous message: Roy Chastain: "Need the equivalent of CryptGenKey for PUBLIC/PRIVATE pairs"
- In reply to: Dominick Baier [DevelopMentor]: "Re: Cookies question"
- Next in thread: Dominick Baier [DevelopMentor]: "Re: Cookies question"
- Reply: Dominick Baier [DevelopMentor]: "Re: Cookies question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
