Multiple sessions and forms-based authentication

[Rob]

I have an ASP.NET application that uses forms-based
authentication. A user wishes to be able to run multiple
sessions of this application simultaneously from the
user's client machine.

The web.config file is configured as such:
<authentication mode="Forms">
<forms loginUrl="Login.aspx" protection="All"
name="myApplication"/>
</authentication>

The Login.aspx page validates a user id and password by
reading a database table, and if valid, it generates the
authentication ticket, creates a cookie, adds the cookie
to the response, and redirects the user to the
default.aspx :
Dim formsAuthenticationTicket As New
FormsAuthenticationTicket(userid, False, 20)
Response.Cookies.Add(New HttpCookie
(FormsAuthentication.FormsCookieName,
FormsAuthentication.Encrypt(formsAuthenticationTicket)))
Response.Redirect("Default.aspx", False)

Also, upon logout the following is executed:
FormsAuthentication.SignOut()

The problem is that if a user has successfully logged on,
and starts another session for this same application, a
authentication ticket and cookie exist, so that the user
does not have to log on for the second session (the user
wants to log on as a different user). We wish to force a
login for each session. Also related problem is that if
a user has 2 sessions running, and logs off one session,
the FormsAuthentication.SignOut is signing off both
sessions since the authentication ticket is shared.

Is it possible with forms-based authentication to have
multiple logged on sessions (separate authentication
tickets)?

Thank you in advance for any help.

 

[Marina]

Any new windows opened from the authenticated browser window would share the
ticket. But I believe if the new window was opened separately, it would
require a new authentication ticket.

 

[bruce barker]

don't store the AuthenticationTicket in a cookie, or use a unique key, and
pass the key on the url or in form variables.

-- bruce (sqlwork.com)

 

[Rob]

It is my understanding that with forms-based
authentication that the authentication ticket must be
stored in a cookie.

Is it possible with forms-based authentication to have
multiple logged on sessions (separate authentication
tickets)?

 

[Rob]

No, a new window opened separately does not require a new
authentication ticket. A cookie exists and it assumes
the existing authentication ticket causing the logon to
be bypassed.

Is it possible with forms-based authentication to have
multiple logged on sessions (separate authentication
tickets)?

 

[Mike Moore [MSFT]]

Hi Rob,

Here is one way to have multiple sessions, with or without forms
authentication. Set session cookieless to true in the web.config file as
follows.
<sessionState
mode="InProc"
stateConnectionString="tcpip=127.0.0.1:42424"
sqlConnectionString="data
source=127.0.0.1;Trusted_Connection=yes"
cookieless="true"
timeout="20"
/>

Then the session identifier will be stored in the URL rather than in a
cookie. The URL will look something like this:
http://localhost/(xba2f5554psjchalmtqgkz45)/WebForm1.aspx

Since each instance of the browser has its own URL, each instance can have
a separate session.

There are a few things to consider. (This may not be a comprehensive list)
* Copying URL's
If someone copies a URL and sends it to someone else (I want you to look at
this report. Here's the link...), the URL will contain their session
identifier along with the URL to the page.

* Links which use an absolute path
If you redirect someone to a fully qualified path (such as
http://localhost/WebForm1.aspx), that path does not contain the session
identifier text. To avoid this, use Response.ApplyAppPathModifier to insert
this text into the URL before sending it to the client.

* There have been some security issues with cookieless sessions.
Here's a link to a conversation on this topic.
http://www.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=anu315$e2e%2
407%241%40news.t-online.com

Does this answer your question?

Thank you, Mike
Microsoft, ASP.NET Support Professional

Microsoft highly recommends to all of our customers that they visit the
http://www.microsoft.com/protect site and perform the three straightforward
steps listed to improve your computer’s security.

This posting is provided "AS IS", with no warranties, and confers no rights.

--------------------