Multiple sessions and forms-based authentication

I have an ASP.NET application that uses forms-based
authentication. A user wishes to be able to run multiple
sessions of this application simultaneously from the
user's client machine.

The web.config file is configured as such:
<authentication mode="Forms">
<forms loginUrl="Login.aspx" protection="All"
name="myApplication"/>
</authentication>

The Login.aspx page validates a user id and password by
reading a database table, and if valid, it generates the
authentication ticket, creates a cookie, adds the cookie
to the response, and redirects the user to the
default.aspx :
Dim formsAuthenticationTicket As New
FormsAuthenticationTicket(userid, False, 20)
Response.Cookies.Add(New HttpCookie
(FormsAuthentication.FormsCookieName,
FormsAuthentication.Encrypt(formsAuthenticationTic ket)))
Response.Redirect("Default.aspx", False)

Also, upon logout the following is executed:
FormsAuthentication.SignOut()

The problem is that if a user has successfully logged on,
and starts another session for this same application, a
authentication ticket and cookie exist, so that the user
does not have to log on for the second session (the user
wants to log on as a different user). We wish to force a
login for each session. Also related problem is that if
a user has 2 sessions running, and logs off one session,
the FormsAuthentication.SignOut is signing off both
sessions since the authentication ticket is shared.

Is it possible with forms-based authentication to have
multiple logged on sessions (separate authentication
tickets)?

Thank you in advance for any help.

re: Multiple sessions and forms-based authentication

Any new windows opened from the authenticated browser window would share the
ticket. But I believe if the new window was opened separately, it would
require a new authentication ticket.

"Rob" <delacruz@serenitynow.com> wrote in message
news:072401c3d398$502f4230$a501280a@phx.gbl...[color=blue]
> I have an ASP.NET application that uses forms-based
> authentication. A user wishes to be able to run multiple
> sessions of this application simultaneously from the
> user's client machine.
>
> The web.config file is configured as such:
> <authentication mode="Forms">
> <forms loginUrl="Login.aspx" protection="All"
> name="myApplication"/>
> </authentication>
>
> The Login.aspx page validates a user id and password by
> reading a database table, and if valid, it generates the
> authentication ticket, creates a cookie, adds the cookie
> to the response, and redirects the user to the
> default.aspx :
> Dim formsAuthenticationTicket As New
> FormsAuthenticationTicket(userid, False, 20)
> Response.Cookies.Add(New HttpCookie
> (FormsAuthentication.FormsCookieName,
> FormsAuthentication.Encrypt(formsAuthenticationTic ket)))
> Response.Redirect("Default.aspx", False)
>
> Also, upon logout the following is executed:
> FormsAuthentication.SignOut()
>
> The problem is that if a user has successfully logged on,
> and starts another session for this same application, a
> authentication ticket and cookie exist, so that the user
> does not have to log on for the second session (the user
> wants to log on as a different user). We wish to force a
> login for each session. Also related problem is that if
> a user has 2 sessions running, and logs off one session,
> the FormsAuthentication.SignOut is signing off both
> sessions since the authentication ticket is shared.
>
> Is it possible with forms-based authentication to have
> multiple logged on sessions (separate authentication
> tickets)?
>
> Thank you in advance for any help.
>[/color]

re: Multiple sessions and forms-based authentication

don't store the AuthenticationTicket in a cookie, or use a unique key, and
pass the key on the url or in form variables.

-- bruce (sqlwork.com)


"Rob" <delacruz@serenitynow.com> wrote in message
news:072401c3d398$502f4230$a501280a@phx.gbl...[color=blue]
> I have an ASP.NET application that uses forms-based
> authentication. A user wishes to be able to run multiple
> sessions of this application simultaneously from the
> user's client machine.
>
> The web.config file is configured as such:
> <authentication mode="Forms">
> <forms loginUrl="Login.aspx" protection="All"
> name="myApplication"/>
> </authentication>
>
> The Login.aspx page validates a user id and password by
> reading a database table, and if valid, it generates the
> authentication ticket, creates a cookie, adds the cookie
> to the response, and redirects the user to the
> default.aspx :
> Dim formsAuthenticationTicket As New
> FormsAuthenticationTicket(userid, False, 20)
> Response.Cookies.Add(New HttpCookie
> (FormsAuthentication.FormsCookieName,
> FormsAuthentication.Encrypt(formsAuthenticationTic ket)))
> Response.Redirect("Default.aspx", False)
>
> Also, upon logout the following is executed:
> FormsAuthentication.SignOut()
>
> The problem is that if a user has successfully logged on,
> and starts another session for this same application, a
> authentication ticket and cookie exist, so that the user
> does not have to log on for the second session (the user
> wants to log on as a different user). We wish to force a
> login for each session. Also related problem is that if
> a user has 2 sessions running, and logs off one session,
> the FormsAuthentication.SignOut is signing off both
> sessions since the authentication ticket is shared.
>
> Is it possible with forms-based authentication to have
> multiple logged on sessions (separate authentication
> tickets)?
>
> Thank you in advance for any help.
>[/color]

re: Multiple sessions and forms-based authentication

It is my understanding that with forms-based
authentication that the authentication ticket must be
stored in a cookie.

Is it possible with forms-based authentication to have
multiple logged on sessions (separate authentication
tickets)?

[color=blue]
>-----Original Message-----
>don't store the AuthenticationTicket in a cookie, or use[/color]
a unique key, and[color=blue]
>pass the key on the url or in form variables.
>
>-- bruce (sqlwork.com)
>
>
>[/color]

re: Multiple sessions and forms-based authentication

No, a new window opened separately does not require a new
authentication ticket. A cookie exists and it assumes
the existing authentication ticket causing the logon to
be bypassed.

Is it possible with forms-based authentication to have
multiple logged on sessions (separate authentication
tickets)?
[color=blue]
>-----Original Message-----
>Any new windows opened from the authenticated browser[/color]
window would share the[color=blue]
>ticket. But I believe if the new window was opened[/color]
separately, it would[color=blue]
>require a new authentication ticket.
>[/color]

re: Multiple sessions and forms-based authentication

Hi Rob,

Here is one way to have multiple sessions, with or without forms
authentication. Set session cookieless to true in the web.config file as
follows.
<sessionState
mode="InProc"
stateConnectionString="tcpip=127.0.0.1:42424"
sqlConnectionString="data
source=127.0.0.1;Trusted_Connection=yes"
cookieless="true"
timeout="20"
/>

Then the session identifier will be stored in the URL rather than in a
cookie. The URL will look something like this:
http://localhost/(xba2f5554psjchalmt.../WebForm1.aspx

Since each instance of the browser has its own URL, each instance can have
a separate session.

There are a few things to consider. (This may not be a comprehensive list)
* Copying URL's
If someone copies a URL and sends it to someone else (I want you to look at
this report. Here's the link...), the URL will contain their session
identifier along with the URL to the page.

* Links which use an absolute path
If you redirect someone to a fully qualified path (such as
http://localhost/WebForm1.aspx), that path does not contain the session
identifier text. To avoid this, use Response.ApplyAppPathModifier to insert
this text into the URL before sending it to the client.

* There have been some security issues with cookieless sessions.
Here's a link to a conversation on this topic.
http://www.google.com/groups?hl=en&l...anu315%24e2e%2
407%241%40news.t-online.com

Does this answer your question?

Thank you, Mike
Microsoft, ASP.NET Support Professional

Microsoft highly recommends to all of our customers that they visit the
http://www.microsoft.com/protect site and perform the three straightforward
steps listed to improve your computer’s security.

This posting is provided "AS IS", with no warranties, and confers no rights.

--------------------[color=blue]
> Content-Class: urn:content-classes:message
> From: "Rob" <delacruz@serenitynow.com>
> Sender: "Rob" <delacruz@serenitynow.com>
> References: <072401c3d398$502f4230$a501280a@phx.gbl>[/color]
<#ufBEO70DHA.1760@TK2MSFTNGP10.phx.gbl>[color=blue]
> Subject: Re: Multiple sessions and forms-based authentication
> Date: Tue, 6 Jan 2004 06:23:28 -0800
> Lines: 18
> Message-ID: <091301c3d460$a7746d40$a501280a@phx.gbl>
> MIME-Version: 1.0
> Content-Type: text/plain;
> charset="iso-8859-1"
> Content-Transfer-Encoding: 7bit
> X-Newsreader: Microsoft CDO for Windows 2000
> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
> Thread-Index: AcPUYKd0JNyjwPGqQDuCis28H7n0mw==
> Newsgroups: microsoft.public.dotnet.framework.aspnet
> Path: cpmsftngxa07.phx.gbl
> Xref: cpmsftngxa07.phx.gbl microsoft.public.dotnet.framework.aspnet:199983
> NNTP-Posting-Host: tk2msftngxa13.phx.gbl 10.40.1.165
> X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
>
> It is my understanding that with forms-based
> authentication that the authentication ticket must be
> stored in a cookie.
>
> Is it possible with forms-based authentication to have
> multiple logged on sessions (separate authentication
> tickets)?
>
>[color=green]
> >-----Original Message-----
> >don't store the AuthenticationTicket in a cookie, or use[/color]
> a unique key, and[color=green]
> >pass the key on the url or in form variables.
> >
> >-- bruce (sqlwork.com)
> >
> >
> >[/color]
>[/color]