login twice on the same web-app on one machine ?
- From: "Jurjen de Groot" <Jurjen.de.Groot@xxxxxxxxx>
- Date: Wed, 18 Jun 2008 10:40:28 +0200
I'm currently maintaining a web-application wich is 'secured' using FormAuthentication.
When the user is authenticated I set then Authentication-Cooke using :
FormsAuthentication.SetAuthCookie( UserName, false)
and redirect the user to the correct page.
In the global.asax (Application_AuthenticateRequest) a check is performed to see if the request isAuthenticated (Request.IsAuthenticated), if so, the cookie is retrieved and used (if empty it's being filled with role-information), all is well so far.
If the user then starts a new instance of IE7 and tries to logon to as a different user, things go bad, the user can login using another user account, is then validated, and subsequently the request.IsAuthenticated is still true the in global.asax and the app will pick up the cookie wich belongs to the previous user.
Is it at all possible to have multiple users using the same webapplication on the same machine in different IE windows ? and if so, could you show me how or point me to some resource on this ? and how dangerous can this be, what if the user doesn't create a new instance of IE7 but uses CTRL+N to create a new windows, won't Sessions get mixed up ?