Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Session-specific Auth Cookie

Reply
Thread Tools

Session-specific Auth Cookie

 
 
Matt Braun
Guest
Posts: n/a
 
      02-02-2006
I'm testing an ASP.NET 2.0 Application that uses Forms Authentication, a
custom Security Provider, and the built-in asp:Login server control. I've
discovered that if I open two or more separate instances of a given browser
(ie; 2+ instances of IE or 2+ instances of FireFox) and log in to one browser
using one set of credentials and the other using another set that spordically
the browsers begin sharing the information about who is logged and, thus, I
can only effectively be logged in as one person at a time from a given
machine.

Generally - in IE - if I only use the buttons in the application to move
around then I'm okay but if I hit the browser's back button it tends to
change me over to the credentials of whichever user I most recently loaded a
page for.

In Firefox, the behavior is a bit different - it consistently shares the
information across all instances no matter if I'm clicking through only using
buttons/links in the app or if I'm using my back button.

Naturally, if I have FireFox and IE open at the same time, they don't share
the data and I *can* run two separate logged in users from the same machine.
Based on this behavior, I think that what is happening is that the .ASPAUTHX
cookie is being shared across my sessions in any given version of browser.

1. Can anyone confirm that what I'm seeing is expected behavior? Should
..ASPXAuth cookies (for a single application) be shared globally across all
instances of given browser?

2. Is it possible to enforce .ASPAUTHX cookies to be session-specific to
allow for having two instances of IE open at the same time but logged in as
two different users?
 
Reply With Quote
 
 
 
 
Dominick Baier [DevelopMentor]
Guest
Posts: n/a
 
      02-02-2006
Hi,

this sounds like you are persisting the cookie on the harddrive.

Usually the auth cookie is a temporary cookie per session. However - if you
start a new IE instance using ctrl+n e.g. they share the temporary cookies.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> I'm testing an ASP.NET 2.0 Application that uses Forms Authentication,
> a custom Security Provider, and the built-in asp:Login server control.
> I've discovered that if I open two or more separate instances of a
> given browser (ie; 2+ instances of IE or 2+ instances of FireFox) and
> log in to one browser using one set of credentials and the other using
> another set that spordically the browsers begin sharing the
> information about who is logged and, thus, I can only effectively be
> logged in as one person at a time from a given machine.
>
> Generally - in IE - if I only use the buttons in the application to
> move around then I'm okay but if I hit the browser's back button it
> tends to change me over to the credentials of whichever user I most
> recently loaded a page for.
>
> In Firefox, the behavior is a bit different - it consistently shares
> the information across all instances no matter if I'm clicking through
> only using buttons/links in the app or if I'm using my back button.
>
> Naturally, if I have FireFox and IE open at the same time, they don't
> share the data and I *can* run two separate logged in users from the
> same machine. Based on this behavior, I think that what is happening
> is that the .ASPAUTHX cookie is being shared across my sessions in any
> given version of browser.
>
> 1. Can anyone confirm that what I'm seeing is expected behavior?
> Should .ASPXAuth cookies (for a single application) be shared globally
> across all instances of given browser?
>
> 2. Is it possible to enforce .ASPAUTHX cookies to be session-specific
> to allow for having two instances of IE open at the same time but
> logged in as two different users?
>



 
Reply With Quote
 
 
 
 
Matt Braun
Guest
Posts: n/a
 
      02-02-2006
I agree and what you describe is the behavior I was expecting - that each
session would have its own auth cookie. My code (neither the web app nor the
custom security provider) doesn't write the cookie though since I'm relying
on ASP.NET's forms authentication to handle that. As such, I'm uncertain why
I'm not experiencing the behavior we both expect.

Further ideas on why ASP.NET would be writing the cookie in a way that makes
it shared? If I look at the cookie in FireFox is does indeed identify itself
as a "Expire At End Of Session" so, at least to that degree, it seems to be
marked as Session cookie.

"Dominick Baier [DevelopMentor]" wrote:

> Hi,
>
> this sounds like you are persisting the cookie on the harddrive.
>
> Usually the auth cookie is a temporary cookie per session. However - if you
> start a new IE instance using ctrl+n e.g. they share the temporary cookies.
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
> > I'm testing an ASP.NET 2.0 Application that uses Forms Authentication,
> > a custom Security Provider, and the built-in asp:Login server control.
> > I've discovered that if I open two or more separate instances of a
> > given browser (ie; 2+ instances of IE or 2+ instances of FireFox) and
> > log in to one browser using one set of credentials and the other using
> > another set that spordically the browsers begin sharing the
> > information about who is logged and, thus, I can only effectively be
> > logged in as one person at a time from a given machine.
> >
> > Generally - in IE - if I only use the buttons in the application to
> > move around then I'm okay but if I hit the browser's back button it
> > tends to change me over to the credentials of whichever user I most
> > recently loaded a page for.
> >
> > In Firefox, the behavior is a bit different - it consistently shares
> > the information across all instances no matter if I'm clicking through
> > only using buttons/links in the app or if I'm using my back button.
> >
> > Naturally, if I have FireFox and IE open at the same time, they don't
> > share the data and I *can* run two separate logged in users from the
> > same machine. Based on this behavior, I think that what is happening
> > is that the .ASPAUTHX cookie is being shared across my sessions in any
> > given version of browser.
> >
> > 1. Can anyone confirm that what I'm seeing is expected behavior?
> > Should .ASPXAuth cookies (for a single application) be shared globally
> > across all instances of given browser?
> >
> > 2. Is it possible to enforce .ASPAUTHX cookies to be session-specific
> > to allow for having two instances of IE open at the same time but
> > logged in as two different users?
> >

>
>
>

 
Reply With Quote
 
Dominick Baier [DevelopMentor]
Guest
Posts: n/a
 
      02-02-2006
Hi,

get a tool like www.fiddlertool.com and poke around in the http traffic -
i am not sure what the reason could be - never experienced that.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> I agree and what you describe is the behavior I was expecting - that
> each session would have its own auth cookie. My code (neither the web
> app nor the custom security provider) doesn't write the cookie though
> since I'm relying on ASP.NET's forms authentication to handle that.
> As such, I'm uncertain why I'm not experiencing the behavior we both
> expect.
>
> Further ideas on why ASP.NET would be writing the cookie in a way that
> makes it shared? If I look at the cookie in FireFox is does indeed
> identify itself as a "Expire At End Of Session" so, at least to that
> degree, it seems to be marked as Session cookie.
>
> "Dominick Baier [DevelopMentor]" wrote:
>
>> Hi,
>>
>> this sounds like you are persisting the cookie on the harddrive.
>>
>> Usually the auth cookie is a temporary cookie per session. However -
>> if you start a new IE instance using ctrl+n e.g. they share the
>> temporary cookies.
>>
>> ---------------------------------------
>> Dominick Baier - DevelopMentor
>> http://www.leastprivilege.com
>>> I'm testing an ASP.NET 2.0 Application that uses Forms
>>> Authentication, a custom Security Provider, and the built-in
>>> asp:Login server control. I've discovered that if I open two or more
>>> separate instances of a given browser (ie; 2+ instances of IE or 2+
>>> instances of FireFox) and log in to one browser using one set of
>>> credentials and the other using another set that spordically the
>>> browsers begin sharing the information about who is logged and,
>>> thus, I can only effectively be logged in as one person at a time
>>> from a given machine.
>>>
>>> Generally - in IE - if I only use the buttons in the application to
>>> move around then I'm okay but if I hit the browser's back button it
>>> tends to change me over to the credentials of whichever user I most
>>> recently loaded a page for.
>>>
>>> In Firefox, the behavior is a bit different - it consistently shares
>>> the information across all instances no matter if I'm clicking
>>> through only using buttons/links in the app or if I'm using my back
>>> button.
>>>
>>> Naturally, if I have FireFox and IE open at the same time, they
>>> don't share the data and I *can* run two separate logged in users
>>> from the same machine. Based on this behavior, I think that what is
>>> happening is that the .ASPAUTHX cookie is being shared across my
>>> sessions in any given version of browser.
>>>
>>> 1. Can anyone confirm that what I'm seeing is expected behavior?
>>> Should .ASPXAuth cookies (for a single application) be shared
>>> globally across all instances of given browser?
>>>
>>> 2. Is it possible to enforce .ASPAUTHX cookies to be
>>> session-specific to allow for having two instances of IE open at the
>>> same time but logged in as two different users?
>>>



 
Reply With Quote
 
Joe Kaplan \(MVP - ADSI\)
Guest
Posts: n/a
 
      02-03-2006
When I see problems like this, it often has to do with confusion between a
browser window and a browser process and how session cookies work.

IE (and probably Firefox it sounds like) will share session cookies across
the entire process. Here, a "session cookie" is the kind of cookie that is
not written to disk. It is kept in memory by the browser process and "goes
away" when the process terminates.

A browser process can have multiple windows though. You see this all the
time when you do ctrl+N in IE or right click "new window". A such, those
windows will all send the same cookies back to the server. Since session
state in IE is cookie based, all of those browser windows will use the same
session state.

However, it is also possible to have multiple IE processes running at the
same time. These will not share session cookies.

I agree with Dominick that using a tool like Fiddler or a plugin like
ieHttpHeaders for IE (or the built in header stuff in Firefox) is a good way
to see which cookies an invidual browser window is receiving and sending so
you can see what's going on.

HTH,

Joe K.

"Matt Braun" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I agree and what you describe is the behavior I was expecting - that each
> session would have its own auth cookie. My code (neither the web app nor
> the
> custom security provider) doesn't write the cookie though since I'm
> relying
> on ASP.NET's forms authentication to handle that. As such, I'm uncertain
> why
> I'm not experiencing the behavior we both expect.
>
> Further ideas on why ASP.NET would be writing the cookie in a way that
> makes
> it shared? If I look at the cookie in FireFox is does indeed identify
> itself
> as a "Expire At End Of Session" so, at least to that degree, it seems to
> be
> marked as Session cookie.
>
> "Dominick Baier [DevelopMentor]" wrote:
>
>> Hi,
>>
>> this sounds like you are persisting the cookie on the harddrive.
>>
>> Usually the auth cookie is a temporary cookie per session. However - if
>> you
>> start a new IE instance using ctrl+n e.g. they share the temporary
>> cookies.
>>
>> ---------------------------------------
>> Dominick Baier - DevelopMentor
>> http://www.leastprivilege.com
>>
>> > I'm testing an ASP.NET 2.0 Application that uses Forms Authentication,
>> > a custom Security Provider, and the built-in asp:Login server control.
>> > I've discovered that if I open two or more separate instances of a
>> > given browser (ie; 2+ instances of IE or 2+ instances of FireFox) and
>> > log in to one browser using one set of credentials and the other using
>> > another set that spordically the browsers begin sharing the
>> > information about who is logged and, thus, I can only effectively be
>> > logged in as one person at a time from a given machine.
>> >
>> > Generally - in IE - if I only use the buttons in the application to
>> > move around then I'm okay but if I hit the browser's back button it
>> > tends to change me over to the credentials of whichever user I most
>> > recently loaded a page for.
>> >
>> > In Firefox, the behavior is a bit different - it consistently shares
>> > the information across all instances no matter if I'm clicking through
>> > only using buttons/links in the app or if I'm using my back button.
>> >
>> > Naturally, if I have FireFox and IE open at the same time, they don't
>> > share the data and I *can* run two separate logged in users from the
>> > same machine. Based on this behavior, I think that what is happening
>> > is that the .ASPAUTHX cookie is being shared across my sessions in any
>> > given version of browser.
>> >
>> > 1. Can anyone confirm that what I'm seeing is expected behavior?
>> > Should .ASPXAuth cookies (for a single application) be shared globally
>> > across all instances of given browser?
>> >
>> > 2. Is it possible to enforce .ASPAUTHX cookies to be session-specific
>> > to allow for having two instances of IE open at the same time but
>> > logged in as two different users?
>> >

>>
>>
>>



 
Reply With Quote
 
Matt Braun
Guest
Posts: n/a
 
      02-03-2006
To eliminate the chance that something specific to my implementation was
causing this, I've created a simple project that uses the
ReadOnlyXmlMembershipProvider (from
http://msdn.microsoft.com/library/de...ovMod_Prt1.asp)
and demonstrates in a finite number of steps what is happening.

I've replicated the problem on Windows XP SP2 with IE 6.0 and with FireFox
1.0.7 and on Mac OSX 10.4.4 with Safari 2.0.3 so I'm confident it's not a
client issue.

To see the problem in action, look here and follow the instructions at the
top of the page: http://www.ization.com/authtest/default.aspx

To download the project and see the code the runs the example, look here:
http://www.ization.com/authtest/authtest.zip

Hopefully there's a simple setting that I'm overlooking that will fix this.
(At this point, I'll even take a complex solution, though!)

I look forward to your help.

Matt

"Matt Braun" wrote:

> I'm testing an ASP.NET 2.0 Application that uses Forms Authentication, a
> custom Security Provider, and the built-in asp:Login server control. I've
> discovered that if I open two or more separate instances of a given browser
> (ie; 2+ instances of IE or 2+ instances of FireFox) and log in to one browser
> using one set of credentials and the other using another set that spordically
> the browsers begin sharing the information about who is logged and, thus, I
> can only effectively be logged in as one person at a time from a given
> machine.
>
> Generally - in IE - if I only use the buttons in the application to move
> around then I'm okay but if I hit the browser's back button it tends to
> change me over to the credentials of whichever user I most recently loaded a
> page for.
>
> In Firefox, the behavior is a bit different - it consistently shares the
> information across all instances no matter if I'm clicking through only using
> buttons/links in the app or if I'm using my back button.
>
> Naturally, if I have FireFox and IE open at the same time, they don't share
> the data and I *can* run two separate logged in users from the same machine.
> Based on this behavior, I think that what is happening is that the .ASPAUTHX
> cookie is being shared across my sessions in any given version of browser.
>
> 1. Can anyone confirm that what I'm seeing is expected behavior? Should
> .ASPXAuth cookies (for a single application) be shared globally across all
> instances of given browser?
>
> 2. Is it possible to enforce .ASPAUTHX cookies to be session-specific to
> allow for having two instances of IE open at the same time but logged in as
> two different users?

 
Reply With Quote
 
Luke Zhang [MSFT]
Guest
Posts: n/a
 
      02-06-2006
Hello,

How did you open a new IE window? Click menu "File\New\Window", or click
"Start" button on desktop and "All programs/Internet Explorer"? And will it
make difference if you open IE in different way? I agree with Joe about
that the session will be shared in a IE process. If you just open a new IE
window by
cClicking menu "File\New\Window", they will be in same session.
Luke Zhang
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 
Reply With Quote
 
Matt Braun
Guest
Posts: n/a
 
      02-06-2006
I am opening a new instance of IE by accessing IE on the Start Menu two
different times. That's why I'm perplexed by the behavior; I would expect
the session to cross browsers in the same process but not those in different
processes. Try the example step for step and you'll be able to recreate what
I'm seeing.

Matt

"Luke Zhang [MSFT]" wrote:

> Hello,
>
> How did you open a new IE window? Click menu "File\New\Window", or click
> "Start" button on desktop and "All programs/Internet Explorer"? And will it
> make difference if you open IE in different way? I agree with Joe about
> that the session will be shared in a IE process. If you just open a new IE
> window by
> cClicking menu "File\New\Window", they will be in same session.
> Luke Zhang
> (This posting is provided "AS IS", with no warranties, and confers no
> rights.)
>
>

 
Reply With Quote
 
Joe Kaplan \(MVP - ADSI\)
Guest
Posts: n/a
 
      02-06-2006
If you use something like ieHttpHeaders to watch the cookies going back and
forth, do the two different browser processes send the same ASP.NET session
cookie back to the server? That would cause confusion server-side.

Joe K.


"Matt Braun" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I am opening a new instance of IE by accessing IE on the Start Menu two
> different times. That's why I'm perplexed by the behavior; I would expect
> the session to cross browsers in the same process but not those in
> different
> processes. Try the example step for step and you'll be able to recreate
> what
> I'm seeing.
>
> Matt
>
> "Luke Zhang [MSFT]" wrote:
>
>> Hello,
>>
>> How did you open a new IE window? Click menu "File\New\Window", or click
>> "Start" button on desktop and "All programs/Internet Explorer"? And will
>> it
>> make difference if you open IE in different way? I agree with Joe about
>> that the session will be shared in a IE process. If you just open a new
>> IE
>> window by
>> cClicking menu "File\New\Window", they will be in same session.
>> Luke Zhang
>> (This posting is provided "AS IS", with no warranties, and confers no
>> rights.)
>>
>>



 
Reply With Quote
 
Matt Braun
Guest
Posts: n/a
 
      02-08-2006
I ran the test and gathered the output using ieHTTPHeaders. I don't see
anything in the output that indicates to me that the same cookie is being
sent; the AuthTest cookie (which is the name assigned to my cookie in the
<forms> section of web.config) in both browsers shows a different value.
Here is what I got from each browser:

------------------------
** BROWSER #1 **
------------------------

GET /authtest/ HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword,
*/*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
1.1.4322; .NET CLR 2.0.50727)
Host: www.ization.com
Connection: Keep-Alive

HTTP/1.1 302 Found
Transfer-Encoding: chunked
Date: Wed, 08 Feb 2006 20:57:55 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: /authtest/Default.aspx?AspxAutoDetectCookieSupport=1
Set-Cookie: AspxAutoDetectCookieSupport=1; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
--------------: ---

GET /authtest/Default.aspx?AspxAutoDetectCookieSupport=1 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword,
*/*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
1.1.4322; .NET CLR 2.0.50727)
Host: www.ization.com
Connection: Keep-Alive
Cookie: AspxAutoDetectCookieSupport=1

HTTP/1.1 200 OK
Transfer-Encoding: chunked
Date: Wed, 08 Feb 2006 20:57:55 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
--------------: ----

GET /authtest/WebResource.axd?d=C63XMr7x7OWNV1YSnMBzow2&t=632651 603188281250
HTTP/1.1
Accept: */*
Referer:
http://www.ization.com/authtest/Defa...ookieSupport=1
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
1.1.4322; .NET CLR 2.0.50727)
Host: www.ization.com
Connection: Keep-Alive
Cookie: AspxAutoDetectCookieSupport=1

HTTP/1.1 200 OK
Transfer-Encoding: chunked
Date: Wed, 08 Feb 2006 20:57:55 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: application/x-javascript
--------------: -----

GET
/authtest/WebResource.axd?d=_TCYs_ru9xNrmEJKM_PpFKupSYrCflJh xpUzV3LFrVc1&t=632651603188281250 HTTP/1.1
Accept: */*
Referer:
http://www.ization.com/authtest/Defa...ookieSupport=1
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
1.1.4322; .NET CLR 2.0.50727)
Host: www.ization.com
Connection: Keep-Alive
Cookie: AspxAutoDetectCookieSupport=1

HTTP/1.1 200 OK
Transfer-Encoding: chunked
Date: Wed, 08 Feb 2006 20:57:56 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: application/x-javascript
--------------: -----

POST /authtest/Default.aspx?AspxAutoDetectCookieSupport=1 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword,
*/*
Referer:
http://www.ization.com/authtest/Defa...ookieSupport=1
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
1.1.4322; .NET CLR 2.0.50727)
Host: www.ization.com
Content-Length: 391
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: AspxAutoDetectCookieSupport=1

__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEP DwULLTE2NDgzMzk5NDlkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG 9zdEJhY2tLZXlfXxYBBSBMb2dpblZpZXckTG9naW4kTG9naW5J bWFnZUJ1dHRvbsMREQrO8pSJoT%2BiljzbmAbiIMPr&LoginVi ew%24Login%24UserName=Test1&LoginView%24Login%24Pa ssword=1234&LoginView%24Login%24LoginButton=Log+In &__EVENTVALIDATION=%2FwEWBALkydGIDQK5i5yWDwLE1tHwC ALLjvi6Dt%2B1qQ%2FQnHPIrYSQtruClsx%2BwsBp

HTTP/1.1 302 Found
Transfer-Encoding: chunked
Date: Wed, 08 Feb 2006 20:58:49 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: /authtest/default.aspx
Set-Cookie:
AuthTest=629F5785D2A6CE101C24E66FCFC350033F1A3BED0 96EB0CA47AE87709E9CB1E55FCB57A87E6291BBBAE8AFB0675 B81776E3CD41F3276B6038C48441F7835ADBBD845A90068233 22BDE8832D1A97A520C; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
--------------: ----

GET /authtest/default.aspx HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword,
*/*
Referer:
http://www.ization.com/authtest/Defa...ookieSupport=1
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
1.1.4322; .NET CLR 2.0.50727)
Host: www.ization.com
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: AspxAutoDetectCookieSupport=1;
AuthTest=629F5785D2A6CE101C24E66FCFC350033F1A3BED0 96EB0CA47AE87709E9CB1E55FCB57A87E6291BBBAE8AFB0675 B81776E3CD41F3276B6038C48441F7835ADBBD845A90068233 22BDE8832D1A97A520C

HTTP/1.1 200 OK
Transfer-Encoding: chunked
Date: Wed, 08 Feb 2006 20:58:49 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
--------------: ----

GET /authtest/contentpage.aspx HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword,
*/*
Referer: http://www.ization.com/authtest/default.aspx
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
1.1.4322; .NET CLR 2.0.50727)
Host: www.ization.com
Connection: Keep-Alive
Cookie: AspxAutoDetectCookieSupport=1;
AuthTest=629F5785D2A6CE101C24E66FCFC350033F1A3BED0 96EB0CA47AE87709E9CB1E55FCB57A87E6291BBBAE8AFB0675 B81776E3CD41F3276B6038C48441F7835ADBBD845A90068233 22BDE8832D1A97A520C

HTTP/1.1 200 OK
Transfer-Encoding: chunked
Date: Wed, 08 Feb 2006 20:59:21 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
--------------: ---


------------------------
** BROWSER #2 **
------------------------

GET /authtest/ HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword,
*/*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
1.1.4322; .NET CLR 2.0.50727)
Host: www.ization.com
Connection: Keep-Alive

HTTP/1.1 302 Found
Transfer-Encoding: chunked
Date: Wed, 08 Feb 2006 20:58:13 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: /authtest/Default.aspx?AspxAutoDetectCookieSupport=1
Set-Cookie: AspxAutoDetectCookieSupport=1; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
--------------: ---

GET /authtest/Default.aspx?AspxAutoDetectCookieSupport=1 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword,
*/*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
1.1.4322; .NET CLR 2.0.50727)
Host: www.ization.com
Connection: Keep-Alive
Cookie: AspxAutoDetectCookieSupport=1

HTTP/1.1 200 OK
Transfer-Encoding: chunked
Date: Wed, 08 Feb 2006 20:58:13 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
--------------: ----

GET /authtest/WebResource.axd?d=C63XMr7x7OWNV1YSnMBzow2&t=632651 603188281250
HTTP/1.1
Accept: */*
Referer:
http://www.ization.com/authtest/Defa...ookieSupport=1
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
1.1.4322; .NET CLR 2.0.50727)
Host: www.ization.com
Connection: Keep-Alive
Cookie: AspxAutoDetectCookieSupport=1

HTTP/1.1 200 OK
Transfer-Encoding: chunked
Date: Wed, 08 Feb 2006 20:58:13 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: application/x-javascript
--------------: -----

GET
/authtest/WebResource.axd?d=_TCYs_ru9xNrmEJKM_PpFKupSYrCflJh xpUzV3LFrVc1&t=632651603188281250 HTTP/1.1
Accept: */*
Referer:
http://www.ization.com/authtest/Defa...ookieSupport=1
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
1.1.4322; .NET CLR 2.0.50727)
Host: www.ization.com
Connection: Keep-Alive
Cookie: AspxAutoDetectCookieSupport=1

HTTP/1.1 200 OK
Transfer-Encoding: chunked
Date: Wed, 08 Feb 2006 20:58:13 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: application/x-javascript
--------------: -----

POST /authtest/Default.aspx?AspxAutoDetectCookieSupport=1 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword,
*/*
Referer:
http://www.ization.com/authtest/Defa...ookieSupport=1
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
1.1.4322; .NET CLR 2.0.50727)
Host: www.ization.com
Content-Length: 391
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: AspxAutoDetectCookieSupport=1

__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEP DwULLTE2NDgzMzk5NDlkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG 9zdEJhY2tLZXlfXxYBBSBMb2dpblZpZXckTG9naW4kTG9naW5J bWFnZUJ1dHRvbsMREQrO8pSJoT%2BiljzbmAbiIMPr&LoginVi ew%24Login%24UserName=Test2&LoginView%24Login%24Pa ssword=1234&LoginView%24Login%24LoginButton=Log+In &__EVENTVALIDATION=%2FwEWBALkydGIDQK5i5yWDwLE1tHwC ALLjvi6Dt%2B1qQ%2FQnHPIrYSQtruClsx%2BwsBp

HTTP/1.1 302 Found
Transfer-Encoding: chunked
Date: Wed, 08 Feb 2006 20:59:08 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: /authtest/default.aspx
Set-Cookie:
AuthTest=B8DEE7C8027848A924187D44C1630458FB916247B 9FD51A4EC42051C25A788E1AA025DDBF8BCBBFA28111B0C820 F2FAEF2E46B8A06F5D9CB5AA32DEECF23E3D780BA5D70B4239 9E7818C1396873853CB; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
--------------: ----

GET /authtest/default.aspx HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword,
*/*
Referer:
http://www.ization.com/authtest/Defa...ookieSupport=1
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
1.1.4322; .NET CLR 2.0.50727)
Host: www.ization.com
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: AspxAutoDetectCookieSupport=1;
AuthTest=B8DEE7C8027848A924187D44C1630458FB916247B 9FD51A4EC42051C25A788E1AA025DDBF8BCBBFA28111B0C820 F2FAEF2E46B8A06F5D9CB5AA32DEECF23E3D780BA5D70B4239 9E7818C1396873853CB

HTTP/1.1 200 OK
Transfer-Encoding: chunked
Date: Wed, 08 Feb 2006 20:59:08 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
--------------: ----

GET /authtest/contentpage.aspx HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword,
*/*
Referer: http://www.ization.com/authtest/default.aspx
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
1.1.4322; .NET CLR 2.0.50727)
Host: www.ization.com
Connection: Keep-Alive
Cookie: AspxAutoDetectCookieSupport=1;
AuthTest=B8DEE7C8027848A924187D44C1630458FB916247B 9FD51A4EC42051C25A788E1AA025DDBF8BCBBFA28111B0C820 F2FAEF2E46B8A06F5D9CB5AA32DEECF23E3D780BA5D70B4239 9E7818C1396873853CB

HTTP/1.1 200 OK
Transfer-Encoding: chunked
Date: Wed, 08 Feb 2006 21:00:20 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
--------------: ---



"Joe Kaplan (MVP - ADSI)" wrote:

> If you use something like ieHttpHeaders to watch the cookies going back and
> forth, do the two different browser processes send the same ASP.NET session
> cookie back to the server? That would cause confusion server-side.
>
> Joe K.
>
>
> "Matt Braun" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> >I am opening a new instance of IE by accessing IE on the Start Menu two
> > different times. That's why I'm perplexed by the behavior; I would expect
> > the session to cross browsers in the same process but not those in
> > different
> > processes. Try the example step for step and you'll be able to recreate
> > what
> > I'm seeing.
> >
> > Matt
> >
> > "Luke Zhang [MSFT]" wrote:
> >
> >> Hello,
> >>
> >> How did you open a new IE window? Click menu "File\New\Window", or click
> >> "Start" button on desktop and "All programs/Internet Explorer"? And will
> >> it
> >> make difference if you open IE in different way? I agree with Joe about
> >> that the session will be shared in a IE process. If you just open a new
> >> IE
> >> window by
> >> cClicking menu "File\New\Window", they will be in same session.
> >> Luke Zhang
> >> (This posting is provided "AS IS", with no warranties, and confers no
> >> rights.)
> >>
> >>

>
>
>

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
windows auth and forms auth Smokey Grindle ASP .Net 1 06-08-2006 03:14 PM
Windows Auth, but Forms Auth for one page? =?Utf-8?B?ZGhucml2ZXJzaWRl?= ASP .Net 1 01-08-2005 05:50 PM
Configuring Windows Auth & Forms Auth in Asp.Net Chris Mohan ASP .Net Security 2 04-29-2004 06:46 AM
Configuring Windows Auth & Forms Auth in Asp.Net =?Utf-8?B?Q2hyaXMgTW9oYW4=?= ASP .Net 0 04-28-2004 06:11 PM
container-auth vs servlet-auth role-checking? Mark Chai Java 1 10-01-2003 06:30 PM



Advertisments