I have a website in which people's 'logged in' state is confirmed by their session cookie (and a value within the session which they get after they log in). The cookie is set to httpOnly & require SSL.
Let's say somebody has 2 Firefox windows open, window (A) has my application and they are logged in, and window (B) has something else open.
If they close window (A) without explicitly logging out, then open a new window (C) and access a logged-in-only resource from my web application, it will still load because the cookie is still there and they are authenticated. The timeout on my sessions is already very low, but I need to stop this attack possibility because people may access their data on a public computer.
How can I prevent this from happening?
Don't know about other browsers, but Firefox keeps the same session id among all browser windows. You should close ALL windows of Firefox to generate a new session id. So in your example close window A and B, then open C and you should be redirected to login page or something.
You could go for a simple approach of destroying the cookie on the window.close event.
Most browsers have this functionality in that all windows can share the same session cookie for the same site. There is no way I know of server side to stop a browser from doing this.
If you absolutely need to stop this from happening then I can only suggest storing an additional value in the pages themselves or the querystring and also confirming this value within your session.
This could prove to be quite an overhaul of your security though.
Related
I am developing and intranet web application. In Global.asax file's session_start event I get the domain identity using user.idenity and put it into session value. Now I have a master page where I am accession that session value to show the user name.
I am using windows authentication and identity impersonation true. But after publishing it the user name who first logins in the system gets displayed to everyone.
I am not able to find out the cause. Please suggest.
It's hard to determine the problem without some sample code, but I can guess what's happening.
Are you understanding that opening a new Web browser tab, or just opening the same URL in the same tab may start a new session?
Session state is persisted as a cookie in the client-side (Web browser) and any tab or window within the same browser session (that would end if you close and re-open the browser) shares it. In other words: all tabs or same browser session windows will share the same session state in the server-side.
While a web page -which needs login- is opened in my browser,
if I close browser and re-open, I have to write username password again.
But, sometimes when I close browser and re-open for the same page, it isn't needed username and password again?
Is it about Session, Cookie? If yes, why are there different conditions?
What do you think?
Gokturk
Its depend on which they session state management technique are used. basically there are 3 state management can used in asp.net
Asp.Net state management
i think webpage using Cookies with some Expiry period. if its session then when u close the
browser then session will be cleared. (InProc Mode).
Cookie will expire for mentioned period, if u able to relogin after browser closed then the cookie is checked for your credentials.
for the different condition following the reasons will make point of it
if u cleared your browser data (sessions, cookies, etc)
u may clicked rememberd password, which would stored in Browser cache.
So it definitely seems the web site only allows session-based, non-persistant cookies. My guess (as I've seen this on my system as well), the browser is closed, but the process hasn't died off. When you open a "new" browser, it's picking up the existing process with all of the session information still valid. To confirm this, each you close the browser, check Task Manager to ensure iexplore.exe, chrome.exe or firefox.exe are completely missing before starting a new session.
I have a ASP.NET website.
Here's what happens:
I open the site and log in.
I open another window of the same site in IE.
When I do that, it takes me to the page which is suppose to be shown when session expires.
So, can you please let me know how to ensure that Session ID does not expire when we open the site in another browser window?
Thanks!
The session is not expiring because you've opened a new window; the new window must not have the cookie used to store the session-id. Most of the time, these cookies are transient or "session" based cookies.
Session cookies may or may not be shared between browser windows, depending on the browser and how you open the new window. For ex., in IE 9, a new window launched using Javascript, Ctrl+N, or Ctrl+T will share session cookies. However, a new window launched by going to File / New Session will not share session cookies.
You also wont see cookies shared between different browsers (for ex., IE and Firefox).
To add a somewhat more simple answer to Michael's excellent response - the short answer thus is "You can't directly achieve this".
But what you CAN do is implement tracking within your application so that you are always aware of what a user's last action was, and no matter what session they come in on, forcibly keep them in your designated workflow.
To achieve that, however, you have to basically ignore session variables (which may be a good idea anyway ;)) and the like and implement a framework that constantly tracks a users behavior, current location and any other related information. There's obviously a lot of overhead involved but that's the only way I know of to ensure that a certain user will always end up where you desire them to end up when they log in from different browsers, machines, etc.
Say I have a webbrowsercontrol inside a windows form, and the user logs in to a secure site from the form. If the user were to open IE separately, it would also show them logged in. Is it possible to isolate the windows form's IE instance?
The WebBrowser control is built on top of the WebBrowser ActiveX, which lies on top of the WinInet. So you should be able to affect its behavior through the WinInet API.
You can try calling InternetSetOption WinInet API to set the INTERNET_OPTION_END_BROWSER_SESSION option to end the current session and start new one. To ensure that the call will affect only the current process, use the INTERNET_HANDLE_TYPE_INTERNET handle.
you don't mention your version; the behavior changed from IE7 to IE8.
In IE7 and IE6, you can open multiple windows and authenticate with different userids on one site.
In IE8, your session state is shared across browser sessions.
You can open IE with privacy mode on; this should allow the session to be sandboxed.
IE8 has the command line switch -nomerge, which starts the browser with a new session
When you log into a site, you generally get a cookie passed to your from the server that marks you as "logged in" (VERY oversimplified....). My guess would be to delete the cookies. See here:
How to delete Cookies from windows.form?
What is the best way to determine "user logout" on IIS server in C#/Asp.Net?
I have an application where the logged in users can initiate long running activities on the server. Those activities need to be terminated when the user logs out.
It is not a problem when the user clicks on the logout, but how do I determine that the user has logged out for example in cases like the user's browser crash, user looses his connection etc.
Make the application session timeout short and implement some kind of polling (AJAX request, for example) to the web application.
The polling takes care of maintaining the session and if the browser is closed without appropriate logout or it crashes, it ceases and the session times out soon.
This is not possible. The browser is running on a different computer, and will not inform the server when it crashes!
Some online banks like HSBC implement something like this by simply having a popup window appear after 1 minute, where no user response (e.g. clicking an OK button) closes the window and logs them out.
The technique I'd prefer is a JavaScript timer that redirects to the logout and then login page, firing an AJAX call to the server first to terminate your long running process for that user. Relying on Session End can give a bit of an annoying user experience in my view.