forms authentication not authenticating

Hi Greg,

It is really strange since the browser has no relation to the asp.net web
application. Anyway, please check out your web.config file to see if there
is anything wrong.

Also, I suggest you try the steps in this article to create a form based
authentication asp.net web app. Please test on this new web app to see if
you could repro the problem.
"HOW TO: Implement Forms-Based Authentication in Your ASP.NET Application
by Using Visual Basic .NET"
http://support.microsoft.com/?id=308157

Regards,

HuangTM
Microsoft Online Partner Support
MCSE/MCSD

Get Secure! ¨C www.microsoft.com/security
This posting is provided ¡°as is¡± with no warranties and confers no rights.

I did some more testing.

Try this to duplicate the problem:

Open a site that uses forms authentication. In my test I am using the
IBuySpy portal.

http://www.asp.net/IBS_Portal/DesktopDefault.aspx

Create account and sign in (do not check the remember login box). Creating
a shortcut on desktop (I think this is the important piece.) to the web
site.

Close all browser windows.

Open a new browser window to something (say www.yahoo.com)

Leave that window open, double click on the shortcut to IBuySpy portal.
Sign-in again. Close browser, leaving Yahoo open in first browser.
Double-click shortcut to IBuySpy again. Notice, you are still logged in!
Close window, repeat ad nauseam. :^)

Thanks,
Greg

"Tian Min Huang" <ti******@online.microsoft.com> wrote in message
news:os**************@cpmsftngxa06.phx.gbl...

Hi Greg,

It is really strange since the browser has no relation to the asp.net web
application. Anyway, please check out your web.config file to see if there
is anything wrong.

Also, I suggest you try the steps in this article to create a form based
authentication asp.net web app. Please test on this new web app to see if
you could repro the problem.
"HOW TO: Implement Forms-Based Authentication in Your ASP.NET Application
by Using Visual Basic .NET"
http://support.microsoft.com/?id=308157

Regards,

HuangTM
Microsoft Online Partner Support
MCSE/MCSD

Get Secure! ¨C www.microsoft.com/security
This posting is provided ¡°as is¡± with no warranties and confers no rights.

You can do the same thing by opening a browser window, then opening a a new
window from it (CTRL-N).

I am sure this is just the way it works, but it was confusing at first. Am
I correct in saying, it is because all these windows are sharing the same
session ID, hence the same authentication cookie? (I can see that they
are.)

I guess, double-clicking on a shortcut to a web site does the same thing as
a CTRL-N. Ie., it does not launch a new session. Bummer.

Thanks,
Greg
"Jim Cheshire (MS)" <ja******@online.microsoft.com> wrote in message
news:OF**************@cpmsftngxa06.phx.gbl...

Hi Greg,

I can reproduce this issue easily. I am looking into it for you.

Jim Cheshire
Developer Support
ASP.NET
ja******@online.microsoft.com

This post is provided as-is with no warranties and confers no rights.

--------------------

From: "Greg Burns" <gr********@hotmail.com>
References: <#T**************@TK2MSFTNGP11.phx.gbl>

<os**************@cpmsftngxa06.phx.gbl>

Subject: Re: forms authentication not authenticating
Date: Mon, 28 Jul 2003 10:20:37 -0400
Lines: 55
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <#E**************@TK2MSFTNGP10.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.aspnet
NNTP-Posting-Host: 146.145.213.7
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP10.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.aspnet:162604

X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet

I did some more testing.

Try this to duplicate the problem:

Open a site that uses forms authentication. In my test I am using the
IBuySpy portal.

http://www.asp.net/IBS_Portal/DesktopDefault.aspx

Create account and sign in (do not check the remember login box). Creatinga shortcut on desktop (I think this is the important piece.) to the web
site.

Close all browser windows.

Open a new browser window to something (say www.yahoo.com)

Leave that window open, double click on the shortcut to IBuySpy portal.
Sign-in again. Close browser, leaving Yahoo open in first browser.
Double-click shortcut to IBuySpy again. Notice, you are still logged in!
Close window, repeat ad nauseam. :^)

Thanks,
Greg

"Tian Min Huang" <ti******@online.microsoft.com> wrote in message
news:os**************@cpmsftngxa06.phx.gbl...

Hi Greg,

It is really strange since the browser has no relation to the asp.net web application. Anyway, please check out your web.config file to see if

there is anything wrong.

Also, I suggest you try the steps in this article to create a form based authentication asp.net web app. Please test on this new web app to see if you could repro the problem.
"HOW TO: Implement Forms-Based Authentication in Your ASP.NET Application by Using Visual Basic .NET"
http://support.microsoft.com/?id=308157

Regards,

HuangTM
Microsoft Online Partner Support
MCSE/MCSD

Get Secure! ¨C www.microsoft.com/security
This posting is provided ¡°as is¡± with no warranties and confers no

rights.

Greg,

That's exactly what's happening. When you are using Forms authentication
and an unpersistant cookie, the cookie is in-memory. Apparently, Internet
Explorer is sharing that memory space when the window is opened via the
shortcut icon or a Ctrl-N. This is expected when you are using Ctrl-N or
Window, New Window. Obviously if that didn't share session state with the
original window, it would be undesirable for an Internet developer. (That
would also mean that a client-side window.open or a _blank target attribute
would also lose session state.)

This is by-design, although it may be counter-intuitive at first and may
provide undesirable results at times. The solution in your case is to make
sure that your Forms authentication ticket expires within a relatively
short timeframe.

Jim Cheshire
Developer Support
ASP.NET
ja******@online.microsoft.com

This post is provided as-is with no warranties and confers no rights.

--------------------

From: "Greg Burns" <gr********@hotmail.com>
References: <#T**************@TK2MSFTNGP11.phx.gbl> <os**************@cpmsftngxa06.phx.gbl>
<#E**************@TK2MSFTNGP10.phx.gbl>
<OF**************@cpmsftngxa06.phx.gbl>Subject: Re: forms authentication not authenticating
Date: Mon, 28 Jul 2003 17:18:11 -0400
Lines: 112
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <e$**************@tk2msftngp13.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.aspnet
NNTP-Posting-Host: 146.145.213.7
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftn gp13.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.aspnet:162771
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet

You can do the same thing by opening a browser window, then opening a a new
window from it (CTRL-N).

I am sure this is just the way it works, but it was confusing at first. Am
I correct in saying, it is because all these windows are sharing the same
session ID, hence the same authentication cookie? (I can see that they
are.)

I guess, double-clicking on a shortcut to a web site does the same thing as
a CTRL-N. Ie., it does not launch a new session. Bummer.

Thanks,
Greg
"Jim Cheshire (MS)" <ja******@online.microsoft.com> wrote in message
news:OF**************@cpmsftngxa06.phx.gbl...

Hi Greg,

I can reproduce this issue easily. I am looking into it for you.

Jim Cheshire
Developer Support
ASP.NET
ja******@online.microsoft.com

This post is provided as-is with no warranties and confers no rights.

--------------------

>From: "Greg Burns" <gr********@hotmail.com>
>References: <#T**************@TK2MSFTNGP11.phx.gbl>

<os**************@cpmsftngxa06.phx.gbl>

>Subject: Re: forms authentication not authenticating
>Date: Mon, 28 Jul 2003 10:20:37 -0400
>Lines: 55
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
>Message-ID: <#E**************@TK2MSFTNGP10.phx.gbl>
>Newsgroups: microsoft.public.dotnet.framework.aspnet
>NNTP-Posting-Host: 146.145.213.7
>Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP10.phx.gbl
>Xref: cpmsftngxa06.phx.gblmicrosoft.public.dotnet.framework.aspnet:162604 >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
>
>I did some more testing.
>
>Try this to duplicate the problem:
>
>Open a site that uses forms authentication. In my test I am using the
>IBuySpy portal.
>
>http://www.asp.net/IBS_Portal/DesktopDefault.aspx
>
>Create account and sign in (do not check the remember login box).Creating >a shortcut on desktop (I think this is the important piece.) to the web
>site.
>
>Close all browser windows.
>
>Open a new browser window to something (say www.yahoo.com)
>
>Leave that window open, double click on the shortcut to IBuySpy portal.
>Sign-in again. Close browser, leaving Yahoo open in first browser.
>Double-click shortcut to IBuySpy again. Notice, you are still logged in! >Close window, repeat ad nauseam. :^)
>
>Thanks,
>Greg
>
>
>
>"Tian Min Huang" <ti******@online.microsoft.com> wrote in message
>news:os**************@cpmsftngxa06.phx.gbl...
>> Hi Greg,
>>
>> It is really strange since the browser has no relation to the asp.netweb >> application. Anyway, please check out your web.config file to see if

there

>> is anything wrong.
>>
>> Also, I suggest you try the steps in this article to create a formbased >> authentication asp.net web app. Please test on this new web app to seeif >> you could repro the problem.
>> "HOW TO: Implement Forms-Based Authentication in Your ASP.NETApplication >> by Using Visual Basic .NET"
>> http://support.microsoft.com/?id=308157
>>
>> Regards,
>>
>> HuangTM
>> Microsoft Online Partner Support
>> MCSE/MCSD
>>
>> Get Secure! ¨C www.microsoft.com/security
>> This posting is provided ¡°as is¡± with no warranties and confers no
>rights.
>>
>>
>
>
>