using Session with FormsAuthentication

> Hello;
Hi! (answers inline)

I use in my web application FormsAuthentication. Also I use Session state
(InProc). okay.
When a user logged in, I can read Session parameters. (For example
Session["USER_ID"]). Problem is that, when user close the browser window then
open a new browser, FormsAuthentication reads from cookie and user logs in.
This is not a problem, this is what it is used for. The cookie you've built is used to
authentify the user automatically.

Althought user logged in, session parameter is null.

These are your implementation and your business rules. If you decided that a logged
in user should have a 'USER_ID' session parameter set whil logged, you need to ensure
that when authentication occurs, other parameters are ALSO set.

The typical case when using managed authentication is having the following states:

1) the user connects to the service
2) the user is automatically connected
3) the user is connected but its session parameters are 'empty' (except for ID)
4) the application detects the user is valid but session has not been prepared yet
5) the application finishes preparing the session
6) the user is then ready to browse the service and redirected to the desired document

You are currently at step 3 of the process. Best thing should be to add some information
into the session when it gets validated and check for its existence:

if(User.IsLoggedIn())
{
if(!(MyUtils.GetSessionValue("ready").Equals"ok"))
{
Session["USER_ID"] = GetUserId();
Session["USER_EMAIL"] = GetUserEmail();
.....
}
}

Antonio Fontes
http://www.futureblogs.net/antonio

Antonio;

Thank you for your quick answer.

I want that when user open a new browser, user must login again. How can I
make that?

Thank you.
--
______________________________
Åženol Akbulak
"AF" wrote:

Hello;

Hi! (answers inline)

I use in my web application FormsAuthentication. Also I use Session state
(InProc).

okay.

When a user logged in, I can read Session parameters. (For example
Session["USER_ID"]). Problem is that, when user close the browser window then
open a new browser, FormsAuthentication reads from cookie and user logs in.

This is not a problem, this is what it is used for. The cookie you've built is used to
authentify the user automatically.

Althought user logged in, session parameter is null.

These are your implementation and your business rules. If you decided that a logged
in user should have a 'USER_ID' session parameter set whil logged, you need to ensure
that when authentication occurs, other parameters are ALSO set.

The typical case when using managed authentication is having the following states:

1) the user connects to the service
2) the user is automatically connected
3) the user is connected but its session parameters are 'empty' (except for ID)
4) the application detects the user is valid but session has not been prepared yet
5) the application finishes preparing the session
6) the user is then ready to browse the service and redirected to the desired document

You are currently at step 3 of the process. Best thing should be to add some information
into the session when it gets validated and check for its existence:

if(User.IsLoggedIn())
{
if(!(MyUtils.GetSessionValue("ready").Equals"ok"))
{
Session["USER_ID"] = GetUserId();
Session["USER_EMAIL"] = GetUserEmail();
.....
}
}

Antonio Fontes
http://www.futureblogs.net/antonio

Hi Senol,

As for your problem, two things should be noticed:

1. For IE browser, it'll start a new session if we launch a new IE windows
by creating a new IE instance rather than derived one from existing IE
window(e.g CTRL+N or ues "File->New->Windows" menu in an existing IE
window). In the latter case, the new windows will share the original
windows(opener )'s session.

2. For cookie, there are generally two kinds of cookies: session cookie and
persistent cookie(non-session). Session cookie's lifecycle is as long as
the browser window which associated with that session, when all those
windows associated with that session is closed , the corresponding session
cookie is also destroyed. for persistent cookie, it'll be persited in the
client computer's cookie storage event when all IE windows are closed. and
next, when user open IE to navigate that site again, the persisted cookie
will be associated by browser again.

ASP.NET Session State use a session cookie to identify sessionId(if not in
cookieless mode). However for formsauthentication, it provide both session
cookie or persistent cookie for the authentication ticket. So for your
scenario, you should choose session cookie as the Formsauthentication's
Authenticate ticket's cookie type so that when user (specific to a session)
close all the associated windows, the formsauthentication's ticket will
also be destroyed as well as the sessionid cookie.

For example, the following code just generate the authenticated user's
authenticate ticket as non-persistent cookie(session cookie)

System.Web.Security.FormsAuthentication.RedirectFr omLoginPage("username",fal
se);

Hope helps. Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
--------------------
| Thread-Topic: using Session with FormsAuthentication
| thread-index: AcXZUSbOu3noMGBDRw+bxpHlItQY+w==
| X-WBNR-Posting-Host: 81.214.84.153
| From: "=?Utf-8?B?xZ5lbm9sIEFrYnVsYWs=?=" <se**********@newsgroup.nospam>
| References: <08**********************************@microsoft.co m>
<Oc**************@TK2MSFTNGP15.phx.gbl>
| Subject: Re: using Session with FormsAuthentication
| Date: Tue, 25 Oct 2005 03:45:01 -0700
| Lines: 65
| Message-ID: <30**********************************@microsoft.co m>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 8bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.dotnet.framework.aspnet:133675
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
|
| Antonio;
|
| Thank you for your quick answer.
|
| I want that when user open a new browser, user must login again. How can
I
| make that?
|
| Thank you.
| --
| ______________________________
| Åženol Akbulak
|
|
| "AF" wrote:
|
| > > Hello;
| > Hi! (answers inline)
| >
| > > I use in my web application FormsAuthentication. Also I use Session
state
| > > (InProc).
| > okay.
| >
| > > When a user logged in, I can read Session parameters. (For example
| > > Session["USER_ID"]). Problem is that, when user close the browser
window then
| > > open a new browser, FormsAuthentication reads from cookie and user
logs in.
| >
| > This is not a problem, this is what it is used for. The cookie you've
built is used to
| > authentify the user automatically.
| >
| >
| > > Althought user logged in, session parameter is null.
| >
| > These are your implementation and your business rules. If you decided
that a logged
| > in user should have a 'USER_ID' session parameter set whil logged, you
need to ensure
| > that when authentication occurs, other parameters are ALSO set.
| >
| > The typical case when using managed authentication is having the
following states:
| >
| > 1) the user connects to the service
| > 2) the user is automatically connected
| > 3) the user is connected but its session parameters are 'empty' (except
for ID)
| > 4) the application detects the user is valid but session has not been
prepared yet
| > 5) the application finishes preparing the session
| > 6) the user is then ready to browse the service and redirected to the
desired document
| >
| > You are currently at step 3 of the process. Best thing should be to add
some information
| > into the session when it gets validated and check for its existence:
| >
| > if(User.IsLoggedIn())
| > {
| > if(!(MyUtils.GetSessionValue("ready").Equals"ok"))
| > {
| > Session["USER_ID"] = GetUserId();
| > Session["USER_EMAIL"] = GetUserEmail();
| > .....
| > }
| > }
| >
| >
| >
| > Antonio Fontes
| > http://www.futureblogs.net/antonio
| >
| >
| >
|

Hi Steven;

I found my answer in your reply.

Thank you very much.

--
______________________________
Åženol Akbulak
"Steven Cheng[MSFT]" wrote:

Hi Senol,

As for your problem, two things should be noticed:

1. For IE browser, it'll start a new session if we launch a new IE windows
by creating a new IE instance rather than derived one from existing IE
window(e.g CTRL+N or ues "File->New->Windows" menu in an existing IE
window). In the latter case, the new windows will share the original
windows(opener )'s session.

2. For cookie, there are generally two kinds of cookies: session cookie and
persistent cookie(non-session). Session cookie's lifecycle is as long as
the browser window which associated with that session, when all those
windows associated with that session is closed , the corresponding session
cookie is also destroyed. for persistent cookie, it'll be persited in the
client computer's cookie storage event when all IE windows are closed. and
next, when user open IE to navigate that site again, the persisted cookie
will be associated by browser again.

ASP.NET Session State use a session cookie to identify sessionId(if not in
cookieless mode). However for formsauthentication, it provide both session
cookie or persistent cookie for the authentication ticket. So for your
scenario, you should choose session cookie as the Formsauthentication's
Authenticate ticket's cookie type so that when user (specific to a session)
close all the associated windows, the formsauthentication's ticket will
also be destroyed as well as the sessionid cookie.

For example, the following code just generate the authenticated user's
authenticate ticket as non-persistent cookie(session cookie)

System.Web.Security.FormsAuthentication.RedirectFr omLoginPage("username",fal
se);

Hope helps. Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
--------------------
| Thread-Topic: using Session with FormsAuthentication
| thread-index: AcXZUSbOu3noMGBDRw+bxpHlItQY+w==
| X-WBNR-Posting-Host: 81.214.84.153
| From: "=?Utf-8?B?xZ5lbm9sIEFrYnVsYWs=?=" <se**********@newsgroup.nospam>
| References: <08**********************************@microsoft.co m>
<Oc**************@TK2MSFTNGP15.phx.gbl>
| Subject: Re: using Session with FormsAuthentication
| Date: Tue, 25 Oct 2005 03:45:01 -0700
| Lines: 65
| Message-ID: <30**********************************@microsoft.co m>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 8bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.dotnet.framework.aspnet:133675
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
|
| Antonio;
|
| Thank you for your quick answer.
|
| I want that when user open a new browser, user must login again. How can
I
| make that?
|
| Thank you.
| --
| ______________________________
| Åženol Akbulak
|
|
| "AF" wrote:
|
| > > Hello;
| > Hi! (answers inline)
| >
| > > I use in my web application FormsAuthentication. Also I use Session
state
| > > (InProc).
| > okay.
| >
| > > When a user logged in, I can read Session parameters. (For example
| > > Session["USER_ID"]). Problem is that, when user close the browser
window then
| > > open a new browser, FormsAuthentication reads from cookie and user
logs in.
| >
| > This is not a problem, this is what it is used for. The cookie you've
built is used to
| > authentify the user automatically.
| >
| >
| > > Althought user logged in, session parameter is null.
| >
| > These are your implementation and your business rules. If you decided
that a logged
| > in user should have a 'USER_ID' session parameter set whil logged, you
need to ensure
| > that when authentication occurs, other parameters are ALSO set.
| >
| > The typical case when using managed authentication is having the
following states:
| >
| > 1) the user connects to the service
| > 2) the user is automatically connected
| > 3) the user is connected but its session parameters are 'empty' (except
for ID)
| > 4) the application detects the user is valid but session has not been
prepared yet
| > 5) the application finishes preparing the session
| > 6) the user is then ready to browse the service and redirected to the
desired document
| >
| > You are currently at step 3 of the process. Best thing should be to add
some information
| > into the session when it gets validated and check for its existence:
| >
| > if(User.IsLoggedIn())
| > {
| > if(!(MyUtils.GetSessionValue("ready").Equals"ok"))
| > {
| > Session["USER_ID"] = GetUserId();
| > Session["USER_EMAIL"] = GetUserEmail();
| > .....
| > }
| > }
| >
| >
| >
| > Antonio Fontes
| > http://www.futureblogs.net/antonio
| >
| >
| >
|

You're welcome Senol,

Good luck!

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

--------------------
| Thread-Topic: using Session with FormsAuthentication
| thread-index: AcXaOXll/4gAWG5TRtiPEHfdloGTIA==
| X-WBNR-Posting-Host: 81.214.84.153
| From: "=?Utf-8?B?xZ5lbm9sIEFrYnVsYWs=?=" <se**********@newsgroup.nospam>
| References: <08**********************************@microsoft.co m>
<Oc**************@TK2MSFTNGP15.phx.gbl>
<30**********************************@microsoft.co m>
<kH**************@TK2MSFTNGXA01.phx.gbl>
| Subject: Re: using Session with FormsAuthentication
| Date: Wed, 26 Oct 2005 07:28:03 -0700
| Lines: 163
| Message-ID: <0C**********************************@microsoft.co m>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 8bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.dotnet.framework.aspnet:133965
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
|
| Hi Steven;
|
| I found my answer in your reply.
|
| Thank you very much.
|
| --
| ______________________________
| Åženol Akbulak
|
|
| "Steven Cheng[MSFT]" wrote:
|
| > Hi Senol,
| >
| > As for your problem, two things should be noticed:
| >
| > 1. For IE browser, it'll start a new session if we launch a new IE
windows
| > by creating a new IE instance rather than derived one from existing IE
| > window(e.g CTRL+N or ues "File->New->Windows" menu in an existing IE
| > window). In the latter case, the new windows will share the original
| > windows(opener )'s session.
| >
| > 2. For cookie, there are generally two kinds of cookies: session cookie
and
| > persistent cookie(non-session). Session cookie's lifecycle is as long
as
| > the browser window which associated with that session, when all those
| > windows associated with that session is closed , the corresponding
session
| > cookie is also destroyed. for persistent cookie, it'll be persited in
the
| > client computer's cookie storage event when all IE windows are closed.
and
| > next, when user open IE to navigate that site again, the persisted
cookie
| > will be associated by browser again.
| >
| > ASP.NET Session State use a session cookie to identify sessionId(if not
in
| > cookieless mode). However for formsauthentication, it provide both
session
| > cookie or persistent cookie for the authentication ticket. So for your
| > scenario, you should choose session cookie as the Formsauthentication's
| > Authenticate ticket's cookie type so that when user (specific to a
session)
| > close all the associated windows, the formsauthentication's ticket will
| > also be destroyed as well as the sessionid cookie.
| >
| > For example, the following code just generate the authenticated user's
| > authenticate ticket as non-persistent cookie(session cookie)
| >
| >
System.Web.Security.FormsAuthentication.RedirectFr omLoginPage("username",fal
| > se);
| >
| > Hope helps. Thanks,
| >
| > Steven Cheng
| > Microsoft Online Support
| >
| > Get Secure! www.microsoft.com/security
| > (This posting is provided "AS IS", with no warranties, and confers no
| > rights.)
| >
| >
| > --------------------
| > | Thread-Topic: using Session with FormsAuthentication
| > | thread-index: AcXZUSbOu3noMGBDRw+bxpHlItQY+w==
| > | X-WBNR-Posting-Host: 81.214.84.153
| > | From: "=?Utf-8?B?xZ5lbm9sIEFrYnVsYWs=?="
<se**********@newsgroup.nospam>
| > | References: <08**********************************@microsoft.co m>
| > <Oc**************@TK2MSFTNGP15.phx.gbl>
| > | Subject: Re: using Session with FormsAuthentication
| > | Date: Tue, 25 Oct 2005 03:45:01 -0700
| > | Lines: 65
| > | Message-ID: <30**********************************@microsoft.co m>
| > | MIME-Version: 1.0
| > | Content-Type: text/plain;
| > | charset="Utf-8"
| > | Content-Transfer-Encoding: 8bit
| > | X-Newsreader: Microsoft CDO for Windows 2000
| > | Content-Class: urn:content-classes:message
| > | Importance: normal
| > | Priority: normal
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| > | Newsgroups: microsoft.public.dotnet.framework.aspnet
| > | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| > | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
| > | Xref: TK2MSFTNGXA01.phx.gbl
| > microsoft.public.dotnet.framework.aspnet:133675
| > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
| > |
| > | Antonio;
| > |
| > | Thank you for your quick answer.
| > |
| > | I want that when user open a new browser, user must login again. How
can
| > I
| > | make that?
| > |
| > | Thank you.
| > | --
| > | ______________________________
| > | Åženol Akbulak
| > |
| > |
| > | "AF" wrote:
| > |
| > | > > Hello;
| > | > Hi! (answers inline)
| > | >
| > | > > I use in my web application FormsAuthentication. Also I use
Session
| > state
| > | > > (InProc).
| > | > okay.
| > | >
| > | > > When a user logged in, I can read Session parameters. (For example
| > | > > Session["USER_ID"]). Problem is that, when user close the browser
| > window then
| > | > > open a new browser, FormsAuthentication reads from cookie and
user
| > logs in.
| > | >
| > | > This is not a problem, this is what it is used for. The cookie
you've
| > built is used to
| > | > authentify the user automatically.
| > | >
| > | >
| > | > > Althought user logged in, session parameter is null.
| > | >
| > | > These are your implementation and your business rules. If you
decided
| > that a logged
| > | > in user should have a 'USER_ID' session parameter set whil logged,
you
| > need to ensure
| > | > that when authentication occurs, other parameters are ALSO set.
| > | >
| > | > The typical case when using managed authentication is having the
| > following states:
| > | >
| > | > 1) the user connects to the service
| > | > 2) the user is automatically connected
| > | > 3) the user is connected but its session parameters are 'empty'
(except
| > for ID)
| > | > 4) the application detects the user is valid but session has not
been
| > prepared yet
| > | > 5) the application finishes preparing the session
| > | > 6) the user is then ready to browse the service and redirected to
the
| > desired document
| > | >
| > | > You are currently at step 3 of the process. Best thing should be to
add
| > some information
| > | > into the session when it gets validated and check for its
existence:
| > | >
| > | > if(User.IsLoggedIn())
| > | > {
| > | > if(!(MyUtils.GetSessionValue("ready").Equals"ok"))
| > | > {
| > | > Session["USER_ID"] = GetUserId();
| > | > Session["USER_EMAIL"] = GetUserEmail();
| > | > .....
| > | > }
| > | > }
| > | >
| > | >
| > | >
| > | > Antonio Fontes
| > | > http://www.futureblogs.net/antonio
| > | >
| > | >
| > | >
| > |
| >
| >
|