I have a problem with this scenario using FormsAuthentication
I access a website with my login and my password, the system make login using FormsAuthentication. After that I copy the cookies from browser.
I paste the cookies in the other browser and click F5, The system authenticate the user and access, after that I make a logout.
I turn back to the first browser and click F5 and the user remains in the system ignoring the logout in the other browser....
how do I solve this problem?
each browser uses its own cookies to check user status. then logging out of website in one browser doesn't affect your status in others.
so the only way left is to avoid logging in users from different browsers at the same time.
Only one concurrent login per user in Asp.net
http://teknohippy.net/2008/08/21/stopping-aspnet-concurrent-logins/
Related
Is it possible to clear browsing data, cookies, active logins, etc. behind the scenes(programatically) on chrome custom tabs?
My goal is to have the user be prompted to login every time they open the custom tab (instead of being logged in automatically)
Shared cookie jar and permissions model so users don't have to log in to sites they are already connected to, or re-grant permissions they have already granted.
Chrome Custom Tabs is the Chrome browser (via the Chrome service and custom Intents) and thus the cache, cookies, etc.. are shared (actually the same).
The answer is no, you can not programmatically clear the data of Chrome.
Note: Right now there is no support of creating an Incognito-based Custom Tab
I would issue the user a transient/session cookie so it does not get persisted if you wish to forced a re-login on the start of every new session.
"My goal is to have the user be prompted to login every time they open the custom tab (instead of being logged in automatically)"
As of now July 2020, on appauth's request builder you can use the method setPrompt(AuthorizationRequest.Prompt.LOGIN)
This will prompt the user to login every time.
If this method isn't provided and let's say there is some persistence needed (to log the user in automatically after they have logged in). If the server issues cookies to do this Currently it is a challenge to log the user out using an endpoint
I am developing and intranet web application. In Global.asax file's session_start event I get the domain identity using user.idenity and put it into session value. Now I have a master page where I am accession that session value to show the user name.
I am using windows authentication and identity impersonation true. But after publishing it the user name who first logins in the system gets displayed to everyone.
I am not able to find out the cause. Please suggest.
It's hard to determine the problem without some sample code, but I can guess what's happening.
Are you understanding that opening a new Web browser tab, or just opening the same URL in the same tab may start a new session?
Session state is persisted as a cookie in the client-side (Web browser) and any tab or window within the same browser session (that would end if you close and re-open the browser) shares it. In other words: all tabs or same browser session windows will share the same session state in the server-side.
While a web page -which needs login- is opened in my browser,
if I close browser and re-open, I have to write username password again.
But, sometimes when I close browser and re-open for the same page, it isn't needed username and password again?
Is it about Session, Cookie? If yes, why are there different conditions?
What do you think?
Gokturk
Its depend on which they session state management technique are used. basically there are 3 state management can used in asp.net
Asp.Net state management
i think webpage using Cookies with some Expiry period. if its session then when u close the
browser then session will be cleared. (InProc Mode).
Cookie will expire for mentioned period, if u able to relogin after browser closed then the cookie is checked for your credentials.
for the different condition following the reasons will make point of it
if u cleared your browser data (sessions, cookies, etc)
u may clicked rememberd password, which would stored in Browser cache.
So it definitely seems the web site only allows session-based, non-persistant cookies. My guess (as I've seen this on my system as well), the browser is closed, but the process hasn't died off. When you open a "new" browser, it's picking up the existing process with all of the session information still valid. To confirm this, each you close the browser, check Task Manager to ensure iexplore.exe, chrome.exe or firefox.exe are completely missing before starting a new session.
Our web app currently under development has authentication on all the pages.
We can deny a user access to any particular page but have found that if a user had previously opened the page that they can still access the page via the url. [Even if they log out and log in]
Assuming that the page is coming from client cache [Ctrl F5 in IE kicks in the proper authentication behavior or clearing the client cache]
A lot depends on how we have implemented the authentication but a quick fix on our side would be from within the admin section where we deny access to certain pages that we expire client cache for that page.
Is there a way to do this programmatically.
This would mean that client caching would continue to work as normal for all other users that still had access to the page in question.
You can add this line to your Page base class or any where in a specific page you want to disable caching on.
Response.Cache.SetCacheability(HttpCacheability.NoCache)
I am developing a large asp.net based application. Certain pages & links require user authentication. At some page, I have links and form submission for which I first need to authenticate the user. Here is an example:
In PageX I have a link L1. When user click, i check if user is authenticated or not. If not I redirect to login page. Once, the user is authenticated, I redirect back him to the PageX. But the problem is, I don't want the user to click L1 again! Instead, I want the L1 action to be executed once user is authenticated and its results displayed etc.
I am trying to have a good solution to this problem. Any idea on how to accomplish this?
ASP.NET's Forms Authentication addresses this scenario. You can deny all unauthenticated users to all pages or (more commonly) deny unauthenticated users to a proper subset of pages.
there are several way of doing it:
1, The build-in way of Form Authentication, correct me if i remembered wrong, you should be able to add your own login logic and integrate your login control with Form Authentication provider
2, assign L1 url link to query string or a session if user is not login, and add logic to your login control, redirect user when login is successful.
Use Forms Authentication.
It's baked into ASP.NET and does exactly what you're talking about.
The User will click on a link. If they're not authenticated, they will be redirected to a login page (one of the parameters to the page will be the destination URL they were trying to reach). After a successful login, the User will be redirected to the page they requested instead of having to click the link again.
You also need to make sure you have your web.config set up to properly allow/deny unauthorized access to your application as described here:
Setting authorization rules for a particular page or folder in Web.config