Re: ADFS Token Auth clarification

This is the expected behavior and you can't change it since the _WebSsoAuth
cookie is a session cookie, not a "file-based" cookie.

Session cookies are shared across a browser process. That includes all
Windows opened by that process. Most browsers allow you to have more than
one distinct process open at the same time, so this can get a little
confusing for end users as it is often difficult to tell which windows
belong to which process. Thankfully, tabs won't span processes.

The only way I can think of to get around this would be to customize the
login page for the FS-P so that you issued your own cookie with an "expires"
field set that would allow SSO back to your customized page. I wouldn't
recommend doing this though, especially if you aren't an experienced ASP.NET
developer with a solid understanding of web security coding practices.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Eric" <Eric@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:63FAAC7B-5F6C-4323-B903-933A27BC4484@xxxxxxxxxxxxxxxx
Just a quick point of clarification.

I have my ADFS environment (w/proxy) in development testing .ASP,
Sharepoint
2003 and Sharepoint 2007 applications on multiple servers using Windows NT
Token Authentication.

My question is once I receive my token is received and I gain access to
the
application I will not be prompted for authentication again as long as I
stay
in that browser window. This includes multiple tabs in IE 7.

Once I open up an entirely new browser session, while the first one is
still
open, I am prompted to authenticate again with my username and password.
Is
this an expected response or does is this a symptom of a miss placed or
incorrect cookie settings?

I would prefer not to have this happen and the cookie storing the
authorization information to be available to multiple browser sessions.

I believe when I originally set ADFS up using the step-by-step guide I did
not have this response when using multiple browser windows.

Thanks in advance for the clarification.



.

Relevant Pages

  • Re: Is Session Always Cleared?
    ... If the first user closes his browser after he is finished, the session cookie is forgotten. ... I think that firefox uses the same cookieset for all it's windows. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: session riding
    ... > When a user browses my script I'd like to grab a session cookie from the ... A normal browser will only send you cookies in the same ... domain as the request, so this is likely not possible. ...
    (comp.lang.ruby)
  • Re: ADFS Token Auth clarification
    ... Joe Kaplan-MS MVP Directory Services Programming ... cookie is a session cookie, ... Session cookies are shared across a browser process. ... Windows opened by that process. ...
    (microsoft.public.windows.server.active_directory)
  • Re: login website that using PHP
    ... The behaviour with the browser is what is known as a 'session cookie' ... You handle the cookie using ClientCookie (Python 2.3) or cookielib ...
    (comp.lang.python)
  • Re: [PHP] Cookie Trouble: getting the information back out...
    ... Is this block of code executed immediately after the cookie is ... immediately ahead of the output of your script telling the browser to ... The session cookie still isn't set on the client until the browser ... will be accessible on successive requests. ...
    (php.general)