Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Forms Authentication and Differences Between Windows Explorer and IE

Reply
Thread Tools

Forms Authentication and Differences Between Windows Explorer and IE

 
 
Kevin Watkins
Guest
Posts: n/a
 
      04-05-2004
Hi,

Hoping someone can help me. I have noticed different behaviour between
a website launched from Windows explorer and Internet Explorer. I have
set up a simple test application to demonstrate this problem:

1. Create a new ASP.NET application in VS.NET at
http://localhost/test.
2. Added a default form, Default.aspx, that has a simple button that
does the FormsAuthentication stuff:

<%@ Page language="c#" Codebehind="Default.aspx.cs"
AutoEventWireup="false" Inherits="LoginTest._Default" %>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<HTML>
<HEAD>
<title>Default</title>
</HEAD>
<body>
<form id="Form1" method="post" runat="server">
<asp:Button id="Button1" runat="server" Text="Set
Session"></asp:Button>
<br/>
<br/>
<asp:Label id="Label1" Runat="server"></asp:Label>
</form>
</body>
</HTML>

public class _Default : System.Web.UI.Page
{
protected System.Web.UI.WebControls.Label Label1;
protected System.Web.UI.WebControls.Button Button1;

#region Web Form Designer generated code
override protected void OnInit(EventArgs e)
{
InitializeComponent();
base.OnInit(e);
}

private void InitializeComponent()
{
this.Button1.Click += new System.EventHandler(this.Button1_Click);
}
#endregion
private void Button1_Click(object sender, System.EventArgs e)
{
FormsAuthentication.RedirectFromLoginPage("user", false);
}
}

2. Added a second form that does nothing:

<%@ Page language="c#" Codebehind="NeedsAuth.aspx.cs"
AutoEventWireup="false" Inherits="LoginTest.NeedsAuth" %>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<HTML>
<HEAD>
<title>NeedsAuth</title>
</HEAD>
<body>
<form id="Form1" method="post" runat="server">
Hello!
</form>
</body>
</HTML>

public class NeedsAuth : System.Web.UI.Page
{
protected System.Web.UI.WebControls.Label LoginLabel;

private void Page_Load(object sender, System.EventArgs e)
{
}
#region Web Form Designer generated code
override protected void OnInit(EventArgs e)
{
InitializeComponent();
base.OnInit(e);
}
private void InitializeComponent()
{
this.Load += new System.EventHandler(this.Page_Load);
}
#endregion
}

3. Changed my web.config file to the following:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.web>
<compilation defaultLanguage="c#" debug="true"/>
<customErrors mode="RemoteOnly"/>
<authentication mode="Forms">
<forms name="TestAuth" loginUrl="Default.aspx" protection="All"
timeout="30" slidingExpiration="true"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
<trace enabled="false" requestLimit="10" pageOutput="false"
traceMode="SortByTime" localOnly="true"/>
<sessionState mode="InProc" cookieless="false" timeout="40"/>
<globalization requestEncoding="utf-8" responseEncoding="utf-8" />
</system.web>
</configuration>

Now, if I load up IE by clicking on the IE icon in my desktop, then
type in http://localhost/test/NeedsAuth.aspx, it redirects me to
Default.aspx. I click on the button and it redirects me back to
NeedsAuth.aspx as it should. Now if I shut down IE, then load it up
again by clicking on the IE icon and go to
http://localhost/test/NeedsAuth.aspx it redirected me to Default.aspx
and I have to login again as expected.

Everything fine so far. However, if I try this via Windows explorer I
get different behaviour. If I double click on 'My Computer' and enter
http://localhost/test/NeedsAuth.aspx into the address bar, it
redirects me to Default.aspx. I click on the button and it redirects
me back to NeedsAuth.aspx as it should. Now if I close the window,
then double click on 'My Computer' and enter
http://localhost/test/NeedsAuth.aspx again, it does not redirect me to
Default.aspx and I am fully logged in.

Similar tests with Page.Session and no authentication indicate that it
also has the same behaviour.

I presume this is to do with the way Windows explorer runs IE. Get get
an IExplore process in task manager if I load IE via its icon, but I
do not if I enter the URL into My Computer.

This is obviously giving me a major security hole; a user could load
up my application, forget to log out properly, (Or have their browser
crash) then another user could come along and enter the URL and be
fully logged in.

I've tried lots of things to get around this, but cannot solve the
problem. Currently I'm considering using a <body unload=> JavaScript
method to post somewhere that does the FormsAuthentication.SignOut(),
but obviously this isn't great and wouldn't be any use if the browser
crash. I've tried searching in these forums and in various newsgroups
without any luck.

Hopefully its me being a muppet and I've missed something stupid. If
anyone can help I'd be really grateful!

Cheers,

Kev
 
Reply With Quote
 
 
 
 
Ken Schaefer
Guest
Posts: n/a
 
      04-06-2004
See reply to the post that you posted in the www.asp.net forums

HTH

Cheers
Ken

"Kevin Watkins" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
: Hi,
:
: Hoping someone can help me. I have noticed different behaviour between
: a website launched from Windows explorer and Internet Explorer. I have
: set up a simple test application to demonstrate this problem:
:
: 1. Create a new ASP.NET application in VS.NET at
: http://localhost/test.
: 2. Added a default form, Default.aspx, that has a simple button that
: does the FormsAuthentication stuff:
:
: <%@ Page language="c#" Codebehind="Default.aspx.cs"
: AutoEventWireup="false" Inherits="LoginTest._Default" %>
: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
: <HTML>
: <HEAD>
: <title>Default</title>
: </HEAD>
: <body>
: <form id="Form1" method="post" runat="server">
: <asp:Button id="Button1" runat="server" Text="Set
: Session"></asp:Button>
: <br/>
: <br/>
: <asp:Label id="Label1" Runat="server"></asp:Label>
: </form>
: </body>
: </HTML>
:
: public class _Default : System.Web.UI.Page
: {
: protected System.Web.UI.WebControls.Label Label1;
: protected System.Web.UI.WebControls.Button Button1;
:
: #region Web Form Designer generated code
: override protected void OnInit(EventArgs e)
: {
: InitializeComponent();
: base.OnInit(e);
: }
:
: private void InitializeComponent()
: {
: this.Button1.Click += new System.EventHandler(this.Button1_Click);
: }
: #endregion
: private void Button1_Click(object sender, System.EventArgs e)
: {
: FormsAuthentication.RedirectFromLoginPage("user", false);
: }
: }
:
: 2. Added a second form that does nothing:
:
: <%@ Page language="c#" Codebehind="NeedsAuth.aspx.cs"
: AutoEventWireup="false" Inherits="LoginTest.NeedsAuth" %>
: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
: <HTML>
: <HEAD>
: <title>NeedsAuth</title>
: </HEAD>
: <body>
: <form id="Form1" method="post" runat="server">
: Hello!
: </form>
: </body>
: </HTML>
:
: public class NeedsAuth : System.Web.UI.Page
: {
: protected System.Web.UI.WebControls.Label LoginLabel;
:
: private void Page_Load(object sender, System.EventArgs e)
: {
: }
: #region Web Form Designer generated code
: override protected void OnInit(EventArgs e)
: {
: InitializeComponent();
: base.OnInit(e);
: }
: private void InitializeComponent()
: {
: this.Load += new System.EventHandler(this.Page_Load);
: }
: #endregion
: }
:
: 3. Changed my web.config file to the following:
:
: <?xml version="1.0" encoding="utf-8" ?>
: <configuration>
: <system.web>
: <compilation defaultLanguage="c#" debug="true"/>
: <customErrors mode="RemoteOnly"/>
: <authentication mode="Forms">
: <forms name="TestAuth" loginUrl="Default.aspx" protection="All"
: timeout="30" slidingExpiration="true"/>
: </authentication>
: <authorization>
: <deny users="?"/>
: </authorization>
: <trace enabled="false" requestLimit="10" pageOutput="false"
: traceMode="SortByTime" localOnly="true"/>
: <sessionState mode="InProc" cookieless="false" timeout="40"/>
: <globalization requestEncoding="utf-8" responseEncoding="utf-8" />
: </system.web>
: </configuration>
:
: Now, if I load up IE by clicking on the IE icon in my desktop, then
: type in http://localhost/test/NeedsAuth.aspx, it redirects me to
: Default.aspx. I click on the button and it redirects me back to
: NeedsAuth.aspx as it should. Now if I shut down IE, then load it up
: again by clicking on the IE icon and go to
: http://localhost/test/NeedsAuth.aspx it redirected me to Default.aspx
: and I have to login again as expected.
:
: Everything fine so far. However, if I try this via Windows explorer I
: get different behaviour. If I double click on 'My Computer' and enter
: http://localhost/test/NeedsAuth.aspx into the address bar, it
: redirects me to Default.aspx. I click on the button and it redirects
: me back to NeedsAuth.aspx as it should. Now if I close the window,
: then double click on 'My Computer' and enter
: http://localhost/test/NeedsAuth.aspx again, it does not redirect me to
: Default.aspx and I am fully logged in.
:
: Similar tests with Page.Session and no authentication indicate that it
: also has the same behaviour.
:
: I presume this is to do with the way Windows explorer runs IE. Get get
: an IExplore process in task manager if I load IE via its icon, but I
: do not if I enter the URL into My Computer.
:
: This is obviously giving me a major security hole; a user could load
: up my application, forget to log out properly, (Or have their browser
: crash) then another user could come along and enter the URL and be
: fully logged in.
:
: I've tried lots of things to get around this, but cannot solve the
: problem. Currently I'm considering using a <body unload=> JavaScript
: method to post somewhere that does the FormsAuthentication.SignOut(),
: but obviously this isn't great and wouldn't be any use if the browser
: crash. I've tried searching in these forums and in various newsgroups
: without any luck.
:
: Hopefully its me being a muppet and I've missed something stupid. If
: anyone can help I'd be really grateful!
:
: Cheers,
:
: Kev


 
Reply With Quote
 
 
 
 
Kevin Watkins
Guest
Posts: n/a
 
      04-08-2004
I have done further testing on this. I believe the problem is because
session cookies are stored in memory. If you launch an IE instance
then the cookies are stored in that iexplore.exe process, so are lost
when it finishes. However if you browse the internet via explorer then
the cookies are stored in the explorer.exe process, which obviously
doesn't end so the session cookies don't die and the
session/authentication carries on when you load up the site again.

I have tested this on Win 2000 with IE 5.5 and IE 6, and on Win XP
running IE 6. The problem only seems to occur with IE 6.

Kev
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Best practices for using forms authentication and security in a hosted env (was: Re: Using a Forms authentication in a shared hosting environment) JEFF ASP .Net 1 11-12-2007 07:00 PM
forms authentication -- expired forms cookie vs. not provided forms cookie Eric ASP .Net Security 2 01-27-2006 10:09 PM
Possible IE 6 Bug - Differences Between Windows Explorer And IE Kevin Watkins ASP .Net Security 3 04-19-2004 03:12 PM
Forms Authentication question: How to have some pages open and some requiring forms authentication Eric ASP .Net 2 02-13-2004 02:14 PM
Re: DIFFERENCES between NETSCAPE and EXPLORER when programming (HTML) Lars Andersen HTML 0 02-01-2004 11:50 PM



Advertisments