Re: Session-specific Auth Cookie



When I see problems like this, it often has to do with confusion between a
browser window and a browser process and how session cookies work.

IE (and probably Firefox it sounds like) will share session cookies across
the entire process. Here, a "session cookie" is the kind of cookie that is
not written to disk. It is kept in memory by the browser process and "goes
away" when the process terminates.

A browser process can have multiple windows though. You see this all the
time when you do ctrl+N in IE or right click "new window". A such, those
windows will all send the same cookies back to the server. Since session
state in IE is cookie based, all of those browser windows will use the same
session state.

However, it is also possible to have multiple IE processes running at the
same time. These will not share session cookies.

I agree with Dominick that using a tool like Fiddler or a plugin like
ieHttpHeaders for IE (or the built in header stuff in Firefox) is a good way
to see which cookies an invidual browser window is receiving and sending so
you can see what's going on.

HTH,

Joe K.

"Matt Braun" <mattb308@xxxxxxxxxxxxxxxx> wrote in message
news:9768E764-D04C-414D-9FA1-1620F4302587@xxxxxxxxxxxxxxxx
I agree and what you describe is the behavior I was expecting - that each
session would have its own auth cookie. My code (neither the web app nor
the
custom security provider) doesn't write the cookie though since I'm
relying
on ASP.NET's forms authentication to handle that. As such, I'm uncertain
why
I'm not experiencing the behavior we both expect.

Further ideas on why ASP.NET would be writing the cookie in a way that
makes
it shared? If I look at the cookie in FireFox is does indeed identify
itself
as a "Expire At End Of Session" so, at least to that degree, it seems to
be
marked as Session cookie.

"Dominick Baier [DevelopMentor]" wrote:

Hi,

this sounds like you are persisting the cookie on the harddrive.

Usually the auth cookie is a temporary cookie per session. However - if
you
start a new IE instance using ctrl+n e.g. they share the temporary
cookies.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

I'm testing an ASP.NET 2.0 Application that uses Forms Authentication,
a custom Security Provider, and the built-in asp:Login server control.
I've discovered that if I open two or more separate instances of a
given browser (ie; 2+ instances of IE or 2+ instances of FireFox) and
log in to one browser using one set of credentials and the other using
another set that spordically the browsers begin sharing the
information about who is logged and, thus, I can only effectively be
logged in as one person at a time from a given machine.

Generally - in IE - if I only use the buttons in the application to
move around then I'm okay but if I hit the browser's back button it
tends to change me over to the credentials of whichever user I most
recently loaded a page for.

In Firefox, the behavior is a bit different - it consistently shares
the information across all instances no matter if I'm clicking through
only using buttons/links in the app or if I'm using my back button.

Naturally, if I have FireFox and IE open at the same time, they don't
share the data and I *can* run two separate logged in users from the
same machine. Based on this behavior, I think that what is happening
is that the .ASPAUTHX cookie is being shared across my sessions in any
given version of browser.

1. Can anyone confirm that what I'm seeing is expected behavior?
Should .ASPXAuth cookies (for a single application) be shared globally
across all instances of given browser?

2. Is it possible to enforce .ASPAUTHX cookies to be session-specific
to allow for having two instances of IE open at the same time but
logged in as two different users?






.