Re: Bug in forms authentication?

KMA wrote:
> I'm still a bit puzzled as to why you think the observed behaviour is
> incorrect. If I launch two instances of the same browser then they share the
> same (client-side stored) cookie. If I log on in one then I'm effectively
> logged on in the other. The "browser type cookie is logged on", you might
> say.

I know that this behaviour can be correct in one situation but it is not
correct in another. In my situation I'd like to log in in one browser
with different role than in another. If I'm logged in one browser, then
if I am automatically authorized to the site from other browsers I can
not log in as a different user with different role.


> However, if you are personally storing something in a session volatile way
> and the sessions are lost through a restart, it is up to you to write that
> data to pernanent storage beforehand and recover it after. But I don't see
> how the Forms authentication model is to blame here.

I blame it that it doesn't work in the situation I described earlier. I
agree that in one situation the behaviour is correct but if I wanted
something other it seems that it can't be customized. The fix would be
simple, the cookie name or data should be allowed to append user defined
data (eg. user name/role/id) and then if I wanted to log in from two
browsers I would have two cookies and when logging off only one cookie
(matched the defined data) should be deleted.

regards,
mircu
.

Relevant Pages

  • Re: Attempt to de-mystify AJAX
    ... "Hyperlinks" always open a new browser window. ... key (cookie) is still there and still contains the original value. ... You can get the cookies from the HTTP_COOKIE CGI environment variable. ...
    (comp.databases.pick)
  • Re: NSA Used Cookies to Track Visitors Web Activities?
    ... Could unwittingly installing a compromised browser open the doors wide to cookie-based intrusions? ... A cookie itself is unlikely to be a virus, but if the browser code is written in C, it is very likely to have arrays that are susceptible to "buffer overrun" Sometimes a clever enough person can use such a bug to cause executable code stored in an allegedly non-executable file to replace code in your browser or operating system. ... an external intruder coming in over an Internet connection, presumably that intruder would have access to the cookies on one's machine. ...
    (comp.sys.mac.system)
  • Re: Cookies from ASP.NET app not persisting even when enabled!
    ... > I'm new to ASP.NET and have been developing a small app at work to test ... > and the authorization cookie is saved as expected on the local machine. ... any browser OTHER THAN the one on the development ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Great SWT Program
    ... Every browser I've ever ... server when requesting any URLs from that server. ... doesn't send the cookie. ... every so often nail the ones that got by adblock, ...
    (comp.lang.java.programmer)
  • RE: A technique to mitigate cookie-stealing XSS attacks
    ... Everyone interested in preventing XSS should review and understand ... remote procedure call instruction encoding where the browser or its OS ... browsers SHOULD adopt support for "client-side ... This new HTTPOnly security feature would simply stop cookie hijacking ...
    (Bugtraq)