forms auth - session timeout - multi domains - POST values

[Larry Foulkrod]

I have several questions.

1) Does forms authentication store and re-send data intended for the
secured page via a post request during its redirection to the login page?

For example, I am a authenticated user filling out a form. I leave my
computer for a bit and my session times out. I come back and submit the
form. How is this handled within the forms authentication model?

2) I have multiple domain names. I persist cookies in the browser once for
each domain. The user authenticates on www.thisdomain.com but then requests
a resource on www.thatdomain.com. Will I be able to access the users
authentication status?

 

[Brock Allen]

For example, I am a authenticated user filling out a form. I leave my

computer for a bit and my session times out. I come back and submit
the form. How is this handled within the forms authentication model?

Forms Authentication uses a different cookie than Session, so they are tracked
independantly. In the scenario you describe, the Session will be gone but
they will have logged in (barring assumptions in your code about the presence
of Session that prevents this).

2) I have multiple domain names. I persist cookies in the browser
once for each domain. The user authenticates on www.thisdomain.com
but then requests a resource on www.thatdomain.com. Will I be able to
access the users authentication status?

Cookies are scoped to the domain, so an ASP.NET authentication cookie issued
by one won't be visible by another. They'll have to somehow authenticate
on the second domain to have that cookie issued.