Re: Authentication and sessions

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Dan Brussee (dbrussee_at_nc.rr.com)
Date: 02/28/04 

Date: Sat, 28 Feb 2004 16:09:47 GMT

I'll take a stab at the final Q(s)...

A new window opened from the original one will have the same session
ID. If this is not desired, you will need to handle this.

Security is in place to disallow access to cookies from another
server, or even another virtual web on the same server. You can,
however place a cookie at the root of a web and access it from
different sub-webs. For instance, you could place a cookie while in
www.domain.com/first/page.aspx and tell it to reside at
www.domain.com. Now, another page, lets call
www.domain.com/second/page.aspx could get access to that cookie. It is
assumed that if you place the cookie at the root, you have the rights
to do so and that you will want this information from another level of
the same web.

On Sat, 28 Feb 2004 15:06:05 +0000, Paul <paul@hotmail.com.invalid>
wrote:

>In article <#YTidbe#DHA.2348@TK2MSFTNGP09.phx.gbl>, .NET Follower
><amitagarwal-NET@SoftHome.net> writes
>>hi,
>>basically in login code
>>we store userid in session
>>and then check on each page
>>if that Sesssion[userid] exists
>
>Yeah, I can do that.... but..... we use Windows authentication on our
>Intranet so if we detect that the cookie doesn't exist (say, due to 20
>mins inactivity) then we re-direct to a login page, but of course
>windows thinks that the user is still logged on so immedaitely
>re-authenticates (even if they logged on to the PC using a generic acct
>and logged on to the web app thro' IE)
>
>How can we cancel or revoke that (IE set) authentication to make the
>user have to re-authenticate to the web app. I have seen a quite
>complex method of using forms authentication to authenticate against an
>active directory, but this seems to require passords being sent in plain
>text (or the setting up of SSL to protect them.)
>>
>
>One final Q. Session variables relate to that user session (that is the
>local browser session)... yes?
>
>1. How do they cope with opening new windows from the original one?
>
>2. can a session variable (which is essentially a cookie) that has been
>set by http://intranetserver1/webapp1 be read by
>http://intranetserver2/someotherwebapp ? (assuming both apps know the
>name of the session var.)

Relevant Pages

  • Re: authentication cookie vs session cookie
    ... level of using authentication cookies on the client machines. ... authentication cookie on a manager's machine is stolen and used on a client ... > session variables as it relies on the session cookie that ASP.NET sends to ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • RE: authentication cookie vs session cookie
    ... doing 'cookie' authentication (effectively what you are doing when you use ... session variables as it relies on the session cookie that ASP.NET sends to ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: privilege timeout
    ... Microsoft MVP (Windows Security) ... > My first thought was to have the user's kerberos tickets expire if they're ... > successfully get the tickets expiring, however, the session tickets were ... > cases NTLMv2 is used instead of Kerberos for authentication. ...
    (microsoft.public.win2000.active_directory)
  • Re: privilege timeout
    ... Microsoft MVP (Windows Security) ... > My first thought was to have the user's kerberos tickets expire if they're ... > successfully get the tickets expiring, however, the session tickets were ... > cases NTLMv2 is used instead of Kerberos for authentication. ...
    (microsoft.public.win2000.security)
  • Re: Framework bug with Auth and Session state?
    ... So as long the browser stays open, ... cookie remains, ... the authentication never times out. ... Session info is stored on the server, using the session cookie only as an ...
    (microsoft.public.dotnet.framework.aspnet.security)