Say I have a webbrowsercontrol inside a windows form, and the user logs in to a secure site from the form. If the user were to open IE separately, it would also show them logged in. Is it possible to isolate the windows form's IE instance?
The WebBrowser control is built on top of the WebBrowser ActiveX, which lies on top of the WinInet. So you should be able to affect its behavior through the WinInet API.
You can try calling InternetSetOption WinInet API to set the INTERNET_OPTION_END_BROWSER_SESSION option to end the current session and start new one. To ensure that the call will affect only the current process, use the INTERNET_HANDLE_TYPE_INTERNET handle.
you don't mention your version; the behavior changed from IE7 to IE8.
In IE7 and IE6, you can open multiple windows and authenticate with different userids on one site.
In IE8, your session state is shared across browser sessions.
You can open IE with privacy mode on; this should allow the session to be sandboxed.
IE8 has the command line switch -nomerge, which starts the browser with a new session
When you log into a site, you generally get a cookie passed to your from the server that marks you as "logged in" (VERY oversimplified....). My guess would be to delete the cookies. See here:
How to delete Cookies from windows.form?
Related
i have an application which sets a cookie upon authentication, there is a web browser control within this application to navigate a web application which uses this cookie for authentication.
The problem is, if we have the option 'Delete browsing history on exit' along with cookies checked, then when the last instance of IE is closed, the cookie that is being used by my Web browser control is also deleted, inspite of my web browser control being open.
Any suggestions ?
Unfortunately the cookie store is commonly used by IE and the embedded WebBrowser control. If by any means you delete the IE cookies, the ActiveX's cookies will be deleted as well.
I have a ASP.NET website.
Here's what happens:
I open the site and log in.
I open another window of the same site in IE.
When I do that, it takes me to the page which is suppose to be shown when session expires.
So, can you please let me know how to ensure that Session ID does not expire when we open the site in another browser window?
Thanks!
The session is not expiring because you've opened a new window; the new window must not have the cookie used to store the session-id. Most of the time, these cookies are transient or "session" based cookies.
Session cookies may or may not be shared between browser windows, depending on the browser and how you open the new window. For ex., in IE 9, a new window launched using Javascript, Ctrl+N, or Ctrl+T will share session cookies. However, a new window launched by going to File / New Session will not share session cookies.
You also wont see cookies shared between different browsers (for ex., IE and Firefox).
To add a somewhat more simple answer to Michael's excellent response - the short answer thus is "You can't directly achieve this".
But what you CAN do is implement tracking within your application so that you are always aware of what a user's last action was, and no matter what session they come in on, forcibly keep them in your designated workflow.
To achieve that, however, you have to basically ignore session variables (which may be a good idea anyway ;)) and the like and implement a framework that constantly tracks a users behavior, current location and any other related information. There's obviously a lot of overhead involved but that's the only way I know of to ensure that a certain user will always end up where you desire them to end up when they log in from different browsers, machines, etc.
I have an issue with sessions. My web site is implementing a logged users console, which register a new user each time it logs in. If I try to open 2 pages within the same web explorer, it fails because the method first ask if the user is already connected for not registering it twice.
This method take as parameter the sessionID, which is provided by .net
My question is: In the same browser (or in the same computer, localhost), the sessionID it's always the same or when is it generated?
By default, new tabs or new windows in a browser will share the same process and therefore the same temporary session cookies for a domain.
To open a new session in IE, choose File > New Session.
SessionID will be the same for the same browser.
On a different browser (or a different computer) you'll get a different SessionID.
Thats kinda how it is all over the internet, not just with asp.net, because of the way Cookies work.
For example you'll notice that you can't log into amazon or ebay using different accounts within the same browser.
SessionId is same per browser. You can check it by logging in to yahoo, the first page will ask for the user name and password, if you open the second page it will directly take you to your email account.
Depends of the browser being used and how it's being used, as stated already the session is shared across the same browser on modern browsers by default. Older browsers such as IE before 8 used to share the session across windows by default as well unless the user opened a new instance of IE outside of the browsers interface (i.e. Start Menu/Shortcut).
I have a C#/.NET website on my local machine that I use to test.
Everytime I run the website in Internet Explorer 7, I have to empty the browser history or it will stay logged on as the previous person.
How do I make it so it lets me log in without having to empty the history every single time I want to test?
Your login information is stored in the session and that sets a cookie in IE7. So you don't have to clear the whole history - just a session cookie for the site.
Alternatively you could implement 'logout' functionality in your app.
Since the issue exists only in your development environment, a workaround would be to use a browser that implements a 'private' mode such as Google Chrome's incognito mode or Microsoft Internet Explorer 8's InPrivate mode
These browsers, when operating in these 'private' modes do not keep the cookies and temporary internet files after you close the window which should solve your issue.
However, it should be kept in mind that these browsers might not be fully compatible with the website you are developing.
Moreover, you should provide more information regarding the implementation of your website's authentication and your website in general if a more permanent solution is to be reached.
I have a website in which people's 'logged in' state is confirmed by their session cookie (and a value within the session which they get after they log in). The cookie is set to httpOnly & require SSL.
Let's say somebody has 2 Firefox windows open, window (A) has my application and they are logged in, and window (B) has something else open.
If they close window (A) without explicitly logging out, then open a new window (C) and access a logged-in-only resource from my web application, it will still load because the cookie is still there and they are authenticated. The timeout on my sessions is already very low, but I need to stop this attack possibility because people may access their data on a public computer.
How can I prevent this from happening?
Don't know about other browsers, but Firefox keeps the same session id among all browser windows. You should close ALL windows of Firefox to generate a new session id. So in your example close window A and B, then open C and you should be redirected to login page or something.
You could go for a simple approach of destroying the cookie on the window.close event.
Most browsers have this functionality in that all windows can share the same session cookie for the same site. There is no way I know of server side to stop a browser from doing this.
If you absolutely need to stop this from happening then I can only suggest storing an additional value in the pages themselves or the querystring and also confirming this value within your session.
This could prove to be quite an overhaul of your security though.