Forms Authentication and Authentication Cookie

R

rgouge

I'm working on an ASP.NET application (ver 1.1) .. using forms
authentication. The problem I'm having is managing the cookie. I'm not
using a persistenting the authentication cookie .. have a sliding expiration
of 10min that I update every time the page is posted to the server. I am
having two issues ..

1. I end up with multiple cookies of the same name in the cookie
collection

2. If I have a web page open initially and redirect from a link on that
page to the application I am working on in a new window .. they both share
the same session id .. and cookie collection. If I authenticate a user now
in my web application and the user then closes the application without
logging out (leaving the window containing a link to my application open).
and then the user clicks on the link to redirect back to the application to
be authenitcated seeing that the cookie and session are the same .. the user
skips the login page and is directed to the requested URL in the
application.

Any feedback would be appreciated.
 
D

Dominick Baier [DevelopMentor]

Hello rgouge,

that's because IE shares cookies in the same process - and that's what happens
if you are doing something like target=_blank or similar.

I guess you could use some client javascript magic to clear the client side
cookies before redirecting - if it is some kind of portal page from which
the app is started.
 
R

rgouge

Thanks for the reply Dominick,

I am developing a web application to be used by others and have no
control over how that client accesses this application. I was thinking of
using the urlreferrer.uri and compare it with the url.uri to weed out
requests originating from outside the application. Still working on this.

My other question .. when modifying the expiration time of the
authentication ticket in the authentication cookie (not sure if this is the
best approach) on a post back .. I tend to end up with several cookies with
the same name (the name of the authentication cookie) .. is this typical ..
its not my intention.
 
D

Dominick Baier [DevelopMentor]

Hello rgouge,

you don't have to set the time on every request - just configure FormsAuth
for sliding expiration and this will do it for you automatically.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,995
Messages
2,570,230
Members
46,819
Latest member
masterdaster

Latest Threads

Top