Session-specific Auth Cookie

[Matt Braun]

I'm testing an ASP.NET 2.0 Application that uses Forms Authentication, a
custom Security Provider, and the built-in asp:Login server control. I've
discovered that if I open two or more separate instances of a given browser
(ie; 2+ instances of IE or 2+ instances of FireFox) and log in to one browser
using one set of credentials and the other using another set that spordically
the browsers begin sharing the information about who is logged and, thus, I
can only effectively be logged in as one person at a time from a given
machine.

Generally - in IE - if I only use the buttons in the application to move
around then I'm okay but if I hit the browser's back button it tends to
change me over to the credentials of whichever user I most recently loaded a
page for.

In Firefox, the behavior is a bit different - it consistently shares the
information across all instances no matter if I'm clicking through only using
buttons/links in the app or if I'm using my back button.

Naturally, if I have FireFox and IE open at the same time, they don't share
the data and I *can* run two separate logged in users from the same machine.
Based on this behavior, I think that what is happening is that the .ASPAUTHX
cookie is being shared across my sessions in any given version of browser.

1. Can anyone confirm that what I'm seeing is expected behavior? Should
..ASPXAuth cookies (for a single application) be shared globally across all
instances of given browser?

2. Is it possible to enforce .ASPAUTHX cookies to be session-specific to
allow for having two instances of IE open at the same time but logged in as
two different users?

 

[Dominick Baier [DevelopMentor]]

Hi,

this sounds like you are persisting the cookie on the harddrive.

Usually the auth cookie is a temporary cookie per session. However - if you
start a new IE instance using ctrl+n e.g. they share the temporary cookies.

 

[Matt Braun]

I agree and what you describe is the behavior I was expecting - that each
session would have its own auth cookie. My code (neither the web app nor the
custom security provider) doesn't write the cookie though since I'm relying
on ASP.NET's forms authentication to handle that. As such, I'm uncertain why
I'm not experiencing the behavior we both expect.

Further ideas on why ASP.NET would be writing the cookie in a way that makes
it shared? If I look at the cookie in FireFox is does indeed identify itself
as a "Expire At End Of Session" so, at least to that degree, it seems to be
marked as Session cookie.

 

[Dominick Baier [DevelopMentor]]

Hi,

get a tool like www.fiddlertool.com and poke around in the http traffic -
i am not sure what the reason could be - never experienced that.

 

[Joe Kaplan \(MVP - ADSI\)]

When I see problems like this, it often has to do with confusion between a
browser window and a browser process and how session cookies work.

IE (and probably Firefox it sounds like) will share session cookies across
the entire process. Here, a "session cookie" is the kind of cookie that is
not written to disk. It is kept in memory by the browser process and "goes
away" when the process terminates.

A browser process can have multiple windows though. You see this all the
time when you do ctrl+N in IE or right click "new window". A such, those
windows will all send the same cookies back to the server. Since session
state in IE is cookie based, all of those browser windows will use the same
session state.

However, it is also possible to have multiple IE processes running at the
same time. These will not share session cookies.

I agree with Dominick that using a tool like Fiddler or a plugin like
ieHttpHeaders for IE (or the built in header stuff in Firefox) is a good way
to see which cookies an invidual browser window is receiving and sending so
you can see what's going on.

HTH,

Joe K.

 

[Matt Braun]

To eliminate the chance that something specific to my implementation was
causing this, I've created a simple project that uses the
ReadOnlyXmlMembershipProvider (from
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnaspp/html/ASPNETProvMod_Prt1.asp)
and demonstrates in a finite number of steps what is happening.

I've replicated the problem on Windows XP SP2 with IE 6.0 and with FireFox
1.0.7 and on Mac OSX 10.4.4 with Safari 2.0.3 so I'm confident it's not a
client issue.

To see the problem in action, look here and follow the instructions at the
top of the page: http://www.ization.com/authtest/default.aspx

To download the project and see the code the runs the example, look here:
http://www.ization.com/authtest/authtest.zip

Hopefully there's a simple setting that I'm overlooking that will fix this.
(At this point, I'll even take a complex solution, though!)

I look forward to your help.

Matt

 

[Luke Zhang [MSFT]]

Hello,

How did you open a new IE window? Click menu "File\New\Window", or click
"Start" button on desktop and "All programs/Internet Explorer"? And will it
make difference if you open IE in different way? I agree with Joe about
that the session will be shared in a IE process. If you just open a new IE
window by
cClicking menu "File\New\Window", they will be in same session.
Luke Zhang
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Matt Braun]

I am opening a new instance of IE by accessing IE on the Start Menu two
different times. That's why I'm perplexed by the behavior; I would expect
the session to cross browsers in the same process but not those in different
processes. Try the example step for step and you'll be able to recreate what
I'm seeing.

Matt

 

[Joe Kaplan \(MVP - ADSI\)]

If you use something like ieHttpHeaders to watch the cookies going back and
forth, do the two different browser processes send the same ASP.NET session
cookie back to the server? That would cause confusion server-side.

Joe K.

 

[Matt Braun]

I ran the test and gathered the output using ieHTTPHeaders. I don't see
anything in the output that indicates to me that the same cookie is being
sent; the AuthTest cookie (which is the name assigned to my cookie in the
<forms> section of web.config) in both browsers shows a different value.
Here is what I got from each browser:

------------------------
** BROWSER #1 **
------------------------

GET /authtest/ HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword,
*/*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
1.1.4322; .NET CLR 2.0.50727)
Host: www.ization.com
Connection: Keep-Alive

HTTP/1.1 302 Found
Transfer-Encoding: chunked
Date: Wed, 08 Feb 2006 20:57:55 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: /authtest/Default.aspx?AspxAutoDetectCookieSupport=1
Set-Cookie: AspxAutoDetectCookieSupport=1; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
--------------: ---

GET /authtest/Default.aspx?AspxAutoDetectCookieSupport=1 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword,
*/*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
1.1.4322; .NET CLR 2.0.50727)
Host: www.ization.com
Connection: Keep-Alive
Cookie: AspxAutoDetectCookieSupport=1

HTTP/1.1 200 OK
Transfer-Encoding: chunked
Date: Wed, 08 Feb 2006 20:57:55 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
--------------: ----

GET /authtest/WebResource.axd?d=C63XMr7x7OWNV1YSnMBzow2&t=632651603188281250
HTTP/1.1
Accept: */*
Referer:
http://www.ization.com/authtest/Default.aspx?AspxAutoDetectCookieSupport=1
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
1.1.4322; .NET CLR 2.0.50727)
Host: www.ization.com
Connection: Keep-Alive
Cookie: AspxAutoDetectCookieSupport=1

HTTP/1.1 200 OK
Transfer-Encoding: chunked
Date: Wed, 08 Feb 2006 20:57:55 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: application/x-javascript
--------------: -----

GET
/authtest/WebResource.axd?d=_TCYs_ru9xNrmEJKM_PpFKupSYrCflJhxpUzV3LFrVc1&t=632651603188281250 HTTP/1.1
Accept: */*
Referer:
http://www.ization.com/authtest/Default.aspx?AspxAutoDetectCookieSupport=1
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
1.1.4322; .NET CLR 2.0.50727)
Host: www.ization.com
Connection: Keep-Alive
Cookie: AspxAutoDetectCookieSupport=1

HTTP/1.1 200 OK
Transfer-Encoding: chunked
Date: Wed, 08 Feb 2006 20:57:56 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: application/x-javascript
--------------: -----

POST /authtest/Default.aspx?AspxAutoDetectCookieSupport=1 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword,
*/*
Referer:
http://www.ization.com/authtest/Default.aspx?AspxAutoDetectCookieSupport=1
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
1.1.4322; .NET CLR 2.0.50727)
Host: www.ization.com
Content-Length: 391
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: AspxAutoDetectCookieSupport=1

__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwULLTE2NDgzMzk5NDlkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBSBMb2dpblZpZXckTG9naW4kTG9naW5JbWFnZUJ1dHRvbsMREQrO8pSJoT%2BiljzbmAbiIMPr&LoginView%24Login%24UserName=Test1&LoginView%24Login%24Password=1234&LoginView%24Login%24LoginButton=Log+In&__EVENTVALIDATION=%2FwEWBALkydGIDQK5i5yWDwLE1tHwCALLjvi6Dt%2B1qQ%2FQnHPIrYSQtruClsx%2BwsBp

HTTP/1.1 302 Found
Transfer-Encoding: chunked
Date: Wed, 08 Feb 2006 20:58:49 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: /authtest/default.aspx
Set-Cookie:
AuthTest=629F5785D2A6CE101C24E66FCFC350033F1A3BED096EB0CA47AE87709E9CB1E55FCB57A87E6291BBBAE8AFB0675B81776E3CD41F3276B6038C48441F7835ADBBD845A9006823322BDE8832D1A97A520C; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
--------------: ----

GET /authtest/default.aspx HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword,
*/*
Referer:
http://www.ization.com/authtest/Default.aspx?AspxAutoDetectCookieSupport=1
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
1.1.4322; .NET CLR 2.0.50727)
Host: www.ization.com
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: AspxAutoDetectCookieSupport=1;
AuthTest=629F5785D2A6CE101C24E66FCFC350033F1A3BED096EB0CA47AE87709E9CB1E55FCB57A87E6291BBBAE8AFB0675B81776E3CD41F3276B6038C48441F7835ADBBD845A9006823322BDE8832D1A97A520C

HTTP/1.1 200 OK
Transfer-Encoding: chunked
Date: Wed, 08 Feb 2006 20:58:49 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
--------------: ----

GET /authtest/contentpage.aspx HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword,
*/*
Referer: http://www.ization.com/authtest/default.aspx
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
1.1.4322; .NET CLR 2.0.50727)
Host: www.ization.com
Connection: Keep-Alive
Cookie: AspxAutoDetectCookieSupport=1;
AuthTest=629F5785D2A6CE101C24E66FCFC350033F1A3BED096EB0CA47AE87709E9CB1E55FCB57A87E6291BBBAE8AFB0675B81776E3CD41F3276B6038C48441F7835ADBBD845A9006823322BDE8832D1A97A520C

HTTP/1.1 200 OK
Transfer-Encoding: chunked
Date: Wed, 08 Feb 2006 20:59:21 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
--------------: ---


------------------------
** BROWSER #2 **
------------------------

GET /authtest/ HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword,
*/*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
1.1.4322; .NET CLR 2.0.50727)
Host: www.ization.com
Connection: Keep-Alive

HTTP/1.1 302 Found
Transfer-Encoding: chunked
Date: Wed, 08 Feb 2006 20:58:13 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: /authtest/Default.aspx?AspxAutoDetectCookieSupport=1
Set-Cookie: AspxAutoDetectCookieSupport=1; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
--------------: ---

GET /authtest/Default.aspx?AspxAutoDetectCookieSupport=1 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword,
*/*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
1.1.4322; .NET CLR 2.0.50727)
Host: www.ization.com
Connection: Keep-Alive
Cookie: AspxAutoDetectCookieSupport=1

HTTP/1.1 200 OK
Transfer-Encoding: chunked
Date: Wed, 08 Feb 2006 20:58:13 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
--------------: ----

GET /authtest/WebResource.axd?d=C63XMr7x7OWNV1YSnMBzow2&t=632651603188281250
HTTP/1.1
Accept: */*
Referer:
http://www.ization.com/authtest/Default.aspx?AspxAutoDetectCookieSupport=1
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
1.1.4322; .NET CLR 2.0.50727)
Host: www.ization.com
Connection: Keep-Alive
Cookie: AspxAutoDetectCookieSupport=1

HTTP/1.1 200 OK
Transfer-Encoding: chunked
Date: Wed, 08 Feb 2006 20:58:13 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: application/x-javascript
--------------: -----

GET
/authtest/WebResource.axd?d=_TCYs_ru9xNrmEJKM_PpFKupSYrCflJhxpUzV3LFrVc1&t=632651603188281250 HTTP/1.1
Accept: */*
Referer:
http://www.ization.com/authtest/Default.aspx?AspxAutoDetectCookieSupport=1
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
1.1.4322; .NET CLR 2.0.50727)
Host: www.ization.com
Connection: Keep-Alive
Cookie: AspxAutoDetectCookieSupport=1

HTTP/1.1 200 OK
Transfer-Encoding: chunked
Date: Wed, 08 Feb 2006 20:58:13 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: application/x-javascript
--------------: -----

POST /authtest/Default.aspx?AspxAutoDetectCookieSupport=1 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword,
*/*
Referer:
http://www.ization.com/authtest/Default.aspx?AspxAutoDetectCookieSupport=1
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
1.1.4322; .NET CLR 2.0.50727)
Host: www.ization.com
Content-Length: 391
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: AspxAutoDetectCookieSupport=1

__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwULLTE2NDgzMzk5NDlkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBSBMb2dpblZpZXckTG9naW4kTG9naW5JbWFnZUJ1dHRvbsMREQrO8pSJoT%2BiljzbmAbiIMPr&LoginView%24Login%24UserName=Test2&LoginView%24Login%24Password=1234&LoginView%24Login%24LoginButton=Log+In&__EVENTVALIDATION=%2FwEWBALkydGIDQK5i5yWDwLE1tHwCALLjvi6Dt%2B1qQ%2FQnHPIrYSQtruClsx%2BwsBp

HTTP/1.1 302 Found
Transfer-Encoding: chunked
Date: Wed, 08 Feb 2006 20:59:08 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: /authtest/default.aspx
Set-Cookie:
AuthTest=B8DEE7C8027848A924187D44C1630458FB916247B9FD51A4EC42051C25A788E1AA025DDBF8BCBBFA28111B0C820F2FAEF2E46B8A06F5D9CB5AA32DEECF23E3D780BA5D70B42399E7818C1396873853CB; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
--------------: ----

GET /authtest/default.aspx HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword,
*/*
Referer:
http://www.ization.com/authtest/Default.aspx?AspxAutoDetectCookieSupport=1
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
1.1.4322; .NET CLR 2.0.50727)
Host: www.ization.com
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: AspxAutoDetectCookieSupport=1;
AuthTest=B8DEE7C8027848A924187D44C1630458FB916247B9FD51A4EC42051C25A788E1AA025DDBF8BCBBFA28111B0C820F2FAEF2E46B8A06F5D9CB5AA32DEECF23E3D780BA5D70B42399E7818C1396873853CB

HTTP/1.1 200 OK
Transfer-Encoding: chunked
Date: Wed, 08 Feb 2006 20:59:08 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
--------------: ----

GET /authtest/contentpage.aspx HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword,
*/*
Referer: http://www.ization.com/authtest/default.aspx
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
1.1.4322; .NET CLR 2.0.50727)
Host: www.ization.com
Connection: Keep-Alive
Cookie: AspxAutoDetectCookieSupport=1;
AuthTest=B8DEE7C8027848A924187D44C1630458FB916247B9FD51A4EC42051C25A788E1AA025DDBF8BCBBFA28111B0C820F2FAEF2E46B8A06F5D9CB5AA32DEECF23E3D780BA5D70B42399E7818C1396873853CB

HTTP/1.1 200 OK
Transfer-Encoding: chunked
Date: Wed, 08 Feb 2006 21:00:20 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
--------------: ---

 

[Luke Zhang [MSFT]]

Hello,

You may try to clear the client IE cache first and then tested again to see
if this will help. Also, you may display the Session.SessionID on the web
page to see if they are in same session .

Luke Zhang
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Matt Braun]

I should have clarified that earlier... I'm *not* using ASP.NET Session State
so there is no Session Cookie. As a test, I did update my sample locally to
enable session state and ran through the steps. The result is the same - the
information gets shared b/t windows - including session state.

As for clearing the cache, I've done that several times and that has no
effect.

Please, try the example as outlined in my earlier post -
http://www.ization.com/authtest/default.aspx - I've set this up to make it
simple for anyone to recreate what I'm seeing b/c I understand that this
isn't normal behavior. Also, feel free to download the sample to examine it
- http://www.ization.com/authtest/authtest.zip

 

[Luke Zhang [MSFT]]

Hello,

I tested your smaple but got correct result. The user account in browser 1
always be 'test1', it never changed. Therefore, I think it is still a
client problem. Is there a proxy or firewall for your clients?

Luke Zhang
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Matt Braun]

Hi Luke,

Sorry for the delay; I forgot to have the forum email me with updates. To
answer your question, no there are no firewalls or proxy servers in the mix.

To be certain... when you did the test did you use the exact url in both
browsers and *not* copy the url from one browser to the other? I ask b/c
some of the people who I've had do testing have done that and there's a bit
of extra data on the URL in the first window (namely
AspxAutoDetectCookieSupport=1) which circumvents the problem if that's how
you initiate the second browser. Just want to make sure we're both testing
the same thing exactly, as the condition is very specific to recreate this
but I've yet to walk anyone through it where it doesn't occur (I've tested on
four diff't Windows PCs on three diff't networks at this point)

Since my last post I have gathered some additional information. In my
initial posts I noted that I can recreate this problem on Firefox, Safari,
and IE for Mac. I've since come to find out that these browsers *always*
share cookies between instances no matter how you open up the browser. This
means that that part of my testing does not add any validation to the
problem. Once I discovered that, however, I decided to baseline IE's
behavior to make sure it *did* behave like I'd expect on at least one
website. What I've found is that if I access a tradional ASP application in
IE that sets a session cookie that the cookie is accessible only to the
instance of the browser that set it and I can run multiple instances side by
with diff't cookie values and they maintain their individuality (aka; a
diff't logged in user). When I hit my test .NET app, however, the info
consistently manages to jump b/t browsers.

So, it looks like the behavior that I'm expecting to see is actually a
feature that only IE supported in the first place. That aside, I can clearly
see that IE doesn't maintain the behavior when accessing this specific .NET
example so I can only think that some characteristic of the cookie that is
being set is affecting the behavior.

Certainly if you can't recreate the problem then it's going to be hard to
troubleshoot. I'll entertain anything that might help you out at this point;
if you'd like to Webex to my computer to see it happening or if there's
information I can send you, just let me know.

Thanks again,
Matt

 

[Luke Zhang [MSFT]]

Strange enough, I was enble to reproduce the problem on my computer today.
However, if I click the "Click Here" in browser window 2, there wasn'y such
a problem. I notice when I came back to the login form, there is no
"AspxAutoDetectCookieSupport=1" in the url line. What is this mean?

Luke Zhang
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Matt Braun]

"AspxAutoDetectCookieSupport=1" is something that the ASP.NET Security
framework adds to indicate that it has set a cookie to test for cookie
support; it only occurs once when you first hit a website that is using auto
detection cookie support but I don't know a whole lot more than that.

As for you not seeing the behavior quite the same in browser #2, I've found
that if I click through in one window (be it one or two) and then go to the
other window, the most recently used window is the user that appears and that
it will continue to jump b/t windows based on which window I've used most
recently. Also, however, if you F5 then it magically goes back to the
correct user for the window.

I suspect we need one of two groups to be looking at this... either someone
from the .NET development team with experience with the ASP.NET
security/login infrastructure and/or the IE development team to determine if
IE is the culprit.

It's definitely a quirky issue but I'm glad to hear you've reproduced it.

Matt

 

[Luke Zhang [MSFT]]

I have to say I CANNOT reproduce it again today! Even I have tested it on
more than two computers. Not sure what happened.

I notice you use history.back to go back login form from the content form.
I suspect there is some thing wrong with the "history". For example,
browser 1 used history of browser 2, it didn't get fresh content from web
server, just use data stored in IE cache. I suggest you may perform a TCP
trace on the port 80, to see the data transfering between client and server
to make sure this.

Luke Zhang
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Matt Braun]

I think you've identified the problem. I went back to the application where
I first experienced this and I find that I can only recreate the issue if I
use the browser's back/forward buttons to navigate. If I only use the links
(non-javascript) to navigate then the browsers both accurately maintain
seperate identities since the requests always go back to the server and
aren't served from cache.

Can we get confirmation as to whether this is a design feature or a bug?

 

[Luke Zhang [MSFT]]

The key point is the issue is not totally reproducable. I have tried a .NET
2.0 web application with form authentication on my server, that didn't had
such a problem. You try to change some settings in IE on your side:
Tools/Internet options/General/Settings/Check for newer versions of stored
pages, can this help on the issue?

Luke Zhang
(This posting is provided "AS IS", with no warranties, and confers no
rights.)