The problem may be something else if you already use cookieless sessions
From: Robbe Morris [C# MVP] (info_at_turnkeytools.com)
Date: 04/28/05
- Next message: Brock Allen: "Re: impersonation"
- Previous message: Dominick Baier [DevelopMentor]: "Re: Security issues with Win2003 and ASPNet app"
- In reply to: rk325: "turning cookieless mode false for client browsers that do not accept cookies"
- Next in thread: rk325: "Re: The problem may be something else if you already use cookieless sessions"
- Reply: rk325: "Re: The problem may be something else if you already use cookieless sessions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 28 Apr 2005 14:19:50 -0400
I suspect the most likely issue is that your user has their network
traffic run through a network proxy server farm. This essentially
makes all subsequent http requests to your farm look like new sessions
to your server(s).
If you ask the user whether they can access their online banking
account or some other site that requires strict authentication and
login credentials and they can't, then this is probably it.
We run into this problem a lot with our business to business
visitors. The only to get around it in your situation is to
have them tell their administrators to run their traffic through
a specific server on the network proxy server farm.
Their proxy server farm is specifically designed to prevent
the user from doing what you need them to do.
-- 2005 Microsoft MVP C# Robbe Morris http://www.robbemorris.com http://www.masterado.net/home/listings.aspx "rk325" <rocio.katsanis@softwareservices.net> wrote in message news:1114704663.917723.53540@f14g2000cwb.googlegroups.com... >I have a question about cookies & browser permissions and turning off > cookies when creating a web site (cookieless mode in web.config). > > I have a web site that of course uses Session variables. > But we decided to turn off the cookieless mode because the client > specifically said her browser did not allow cookies. Anyway, when > searching about it, I found out that by setting cookieless = true the > session cookie is embedded into the URL sent back & forth to/from the > client so the server can identify this client. All these happen after > authentication, when the user has already entered a username and a > password and is redirected to the appropriate password protected web > pages. > > A new client is signing in and he claims he cannot logging to the web > site. He enters his credentials but all she gets back is the general > search page (not the protected one with more capabilities). I know it > must be something with his browser configuration, because somehow the > security in that office has been setup to not allow anyone do anything > on the internet. I figure, cookies must not be allowed. But if our web > site uses the cookieless mode, then why can't he logging at all? > > I can login from my desk using this client's credentials and can > search fine. Since I monitor the activities of this client, all my > searches under this credentials get recorded. > > Is it anything more to the cookieless mode that does use cookies or > some type of security in the client's browser that must be set free? > > I guess waht I would like to know exactly is what are the requirements > for any internet browser to run ASP.NET applications that require > forms-based authentication. > > Your comments/help/links about this will be very much appreciated. >
- Next message: Brock Allen: "Re: impersonation"
- Previous message: Dominick Baier [DevelopMentor]: "Re: Security issues with Win2003 and ASPNet app"
- In reply to: rk325: "turning cookieless mode false for client browsers that do not accept cookies"
- Next in thread: rk325: "Re: The problem may be something else if you already use cookieless sessions"
- Reply: rk325: "Re: The problem may be something else if you already use cookieless sessions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
