J
Joe Fallon
I use forms authentication for my app.
After I log in successfully each request by the browser contains 2 cookies.
One for the SessionID and one for forms authentication which contains my
ticket.
Can someone please explain where these cookies are stored? I think it is in
memory in the browser but am not sure.
Also, some users have stated that they can do the following:
1. Start a browser, hit the site and log in.
2. Start a 2nd browser.
3. Hit the site.
4. BYPASS the log in page and go directly to the Home page.
They claim they can also close all browser sessions, start a new one and
still Bypass the log in page.
How is this possible?
Why would the 2nd browser session have the cookies noted above?
I assume once the authenctication ticket expires in 30 minutes of inactivity
that neither scenario would be possible. They would have to re-log in first.
Thanks for any info on this.
Note: they said they use a link from an Intranet site to open a browser - by
using this it somehow shares the session and cookie. They could not do it by
using separate instances from my desktop.
After I log in successfully each request by the browser contains 2 cookies.
One for the SessionID and one for forms authentication which contains my
ticket.
Can someone please explain where these cookies are stored? I think it is in
memory in the browser but am not sure.
Also, some users have stated that they can do the following:
1. Start a browser, hit the site and log in.
2. Start a 2nd browser.
3. Hit the site.
4. BYPASS the log in page and go directly to the Home page.
They claim they can also close all browser sessions, start a new one and
still Bypass the log in page.
How is this possible?
Why would the 2nd browser session have the cookies noted above?
I assume once the authenctication ticket expires in 30 minutes of inactivity
that neither scenario would be possible. They would have to re-log in first.
Thanks for any info on this.
Note: they said they use a link from an Intranet site to open a browser - by
using this it somehow shares the session and cookie. They could not do it by
using separate instances from my desktop.
