I have an issue with sessions. My web site is implementing a logged users console, which register a new user each time it logs in. If I try to open 2 pages within the same web explorer, it fails because the method first ask if the user is already connected for not registering it twice.
This method take as parameter the sessionID, which is provided by .net
My question is: In the same browser (or in the same computer, localhost), the sessionID it's always the same or when is it generated?
By default, new tabs or new windows in a browser will share the same process and therefore the same temporary session cookies for a domain.
To open a new session in IE, choose File > New Session.
SessionID will be the same for the same browser.
On a different browser (or a different computer) you'll get a different SessionID.
Thats kinda how it is all over the internet, not just with asp.net, because of the way Cookies work.
For example you'll notice that you can't log into amazon or ebay using different accounts within the same browser.
SessionId is same per browser. You can check it by logging in to yahoo, the first page will ask for the user name and password, if you open the second page it will directly take you to your email account.
Depends of the browser being used and how it's being used, as stated already the session is shared across the same browser on modern browsers by default. Older browsers such as IE before 8 used to share the session across windows by default as well unless the user opened a new instance of IE outside of the browsers interface (i.e. Start Menu/Shortcut).
Related
Is it possible to clear browsing data, cookies, active logins, etc. behind the scenes(programatically) on chrome custom tabs?
My goal is to have the user be prompted to login every time they open the custom tab (instead of being logged in automatically)
Shared cookie jar and permissions model so users don't have to log in to sites they are already connected to, or re-grant permissions they have already granted.
Chrome Custom Tabs is the Chrome browser (via the Chrome service and custom Intents) and thus the cache, cookies, etc.. are shared (actually the same).
The answer is no, you can not programmatically clear the data of Chrome.
Note: Right now there is no support of creating an Incognito-based Custom Tab
I would issue the user a transient/session cookie so it does not get persisted if you wish to forced a re-login on the start of every new session.
"My goal is to have the user be prompted to login every time they open the custom tab (instead of being logged in automatically)"
As of now July 2020, on appauth's request builder you can use the method setPrompt(AuthorizationRequest.Prompt.LOGIN)
This will prompt the user to login every time.
If this method isn't provided and let's say there is some persistence needed (to log the user in automatically after they have logged in). If the server issues cookies to do this Currently it is a challenge to log the user out using an endpoint
I have an application that uses APS.NET as the middle tier. One of the features for administrators is to allow them to popup another browser window logged in as a non-admin user, so they can provide support.
I use a javascript function "openWindowWithPost." The application takes credentials from a DB and forces a login so the support staff does not need to know the user credentials. Unfortunately when it does that the original session is reused and hence all of their application variables are shared, causing havoc with the original Admin login.
What I would like the ability to do is to force a second browser window to popup and when it talks to IIS have it create a new session and keep the original one active. Is this possible? If so where can I find how to do this?
From your post, it looks like you are using the Session object in ASP.Net to store data.
By default the Session ID is stored by the browser in a cookie. See MSDN
for a description of how it works. You could setup your application to use query strings to store the session id, but that is really old fashion and can become messy and hard to deal with.
Your best bet is to find a solution at the browser level. For example, Firefox has an extension called Multifox that would do what you want. Other browsers have similar extensions.
I am Working in asp.net and C# .
I have an application where user logs in to enter the application,if a user opens the application in a browser and logs in,and if user opens the application in some other browser in the same system they should be logged in as well.The same should happen within the same browser in different tabs and also in the different instance of same browser in which user was Previously logged in.please give me Your suggesions.....
You can't share session between multiple browsers.
But session between multiple tabs of a same browser instance is already shared.
The answer is, as stated above, that you can't share Sessions between 2 different browsers as each browser will necessarily start a new session.
If you want a way to allow the user to log in once and stay signed in even if he opens a different browser, then you would have to rely on his IP address since this is the ONLY indicator that the user that logged in Chrome 2 secs ago, may be the same user that's logging in from Firefox now. This is just to give you an example but this is obviously flawed because different users behind the same gateway will all have the same IP.
What you want to do would work only if the application you develop is inside an Intranet and you know for sure that every user will have a unique internal IP address but then the whole point of authenticating users may be achieved through more efficient ways, like Integrated Windows Auth, etc.
You can share session between two browsers ,we have implemented such a project couple of years back .
The technique used was to write a custom browser which instead of storing cookies in local machine stored it in a in a public server
so that when one guy logs in the cookie & other local data associated with the session is shared with the server and thus with all browser instances ,browsers instances cookie is modified to match with the server details ,So it behaves as if the session is shared .
some websites have issue with using different ip that could be solved by using a common proxy server .
but if you can't use custom browsers then it will be difficult but could still try with plugins that follow the above mentioned method
Hope this helps
I have a ASP.NET website.
Here's what happens:
I open the site and log in.
I open another window of the same site in IE.
When I do that, it takes me to the page which is suppose to be shown when session expires.
So, can you please let me know how to ensure that Session ID does not expire when we open the site in another browser window?
Thanks!
The session is not expiring because you've opened a new window; the new window must not have the cookie used to store the session-id. Most of the time, these cookies are transient or "session" based cookies.
Session cookies may or may not be shared between browser windows, depending on the browser and how you open the new window. For ex., in IE 9, a new window launched using Javascript, Ctrl+N, or Ctrl+T will share session cookies. However, a new window launched by going to File / New Session will not share session cookies.
You also wont see cookies shared between different browsers (for ex., IE and Firefox).
To add a somewhat more simple answer to Michael's excellent response - the short answer thus is "You can't directly achieve this".
But what you CAN do is implement tracking within your application so that you are always aware of what a user's last action was, and no matter what session they come in on, forcibly keep them in your designated workflow.
To achieve that, however, you have to basically ignore session variables (which may be a good idea anyway ;)) and the like and implement a framework that constantly tracks a users behavior, current location and any other related information. There's obviously a lot of overhead involved but that's the only way I know of to ensure that a certain user will always end up where you desire them to end up when they log in from different browsers, machines, etc.
I have a website in which people's 'logged in' state is confirmed by their session cookie (and a value within the session which they get after they log in). The cookie is set to httpOnly & require SSL.
Let's say somebody has 2 Firefox windows open, window (A) has my application and they are logged in, and window (B) has something else open.
If they close window (A) without explicitly logging out, then open a new window (C) and access a logged-in-only resource from my web application, it will still load because the cookie is still there and they are authenticated. The timeout on my sessions is already very low, but I need to stop this attack possibility because people may access their data on a public computer.
How can I prevent this from happening?
Don't know about other browsers, but Firefox keeps the same session id among all browser windows. You should close ALL windows of Firefox to generate a new session id. So in your example close window A and B, then open C and you should be redirected to login page or something.
You could go for a simple approach of destroying the cookie on the window.close event.
Most browsers have this functionality in that all windows can share the same session cookie for the same site. There is no way I know of server side to stop a browser from doing this.
If you absolutely need to stop this from happening then I can only suggest storing an additional value in the pages themselves or the querystring and also confirming this value within your session.
This could prove to be quite an overhaul of your security though.