Security :: FormsAuthenticationTicket In Firefox(multiple Instance Of Browser)
Oct 27, 2010
I am using forms authentication in asp.net application. This is working fine in internet explorer. Opening application in firefox is also fine but when i login in second instance of firefox, application in first instance logs out. Following is my code for creating ticket and cookie.
FormsAuthenticationTicket objTicket = new
FormsAuthenticationTicket(1, sUserName,
DateTime.Now,
DateTime.Now.AddMinutes(60),
false,
"");
I am finishing up my asp.net web application targeting .net 4.0. I am using VS2010.
I have deployed my application to a host server and now I am testing with multiple different browsers.
The first issue I ran into comes down to the following code:
[Code]....
If I use IE, login and click something that causes the above code to execute then currentUser is NOT null. However doing the exact same steps in FireFox currentUser is null, even though I know I am logged in as my name and other indications on the webpage confirms I am.
------------------------
Update
----------------------
Since originally posting this thread I have done more testing.
I placed a test button on a random page and the button click will update a label on that page indicating if the currentUser is null or not. This button works both in IE and in FireFox. Also both running locally and running on the host server.
----------------------
So now I am looking at what is different about the one place it appears not to work so let me try to make this clear.
I use a component called Uploadify to upload images into a database. That component calls a page/request called ImageUploader.ashx which inherits from IHttpHandler. Here is all the pertainent code from that file. [Code]....
The problem is when calling from FireFox, imgProvider.Status = null. This is a problem because the ImageProvider will try to insert a record into my database and the column for Status cannot be null so that causes it to crash. I made the change to detect if Status = null and return the user id if so as an error message to help me debug. To understand how Status is set you only have to look at a little code in the ImageProvider class:
[Code]....
You will notice when the ImageProvider is created it calls ClearFields(). Inside ClearFields() is where it gets the currentUser and if not null it sets the UserID property, which case the setter for UserID must set Status to either Approved or Pending. Whats happening is ONLY in FireFox, and after more testing, ONLY on the host server does currentUser = null even when I am logged in. but in other areas of code I can get currentUser and it works, also this works fine with IE, it also works fine with FireFox running locally. So I have icolated it down to this specific piece of code, when using FireFox, when running on Host server.
I am working on a website which uses a common database shared by another 2-3 websites. Now i am having a requirement that whenever a user clicks a link provided on another website and comes to my website and if the user is already logged in to my website then my website should not ask him to login again it should by pass the login page and show the next page.
Here the problem is i am not able to get the session objects in newly opened browser window even if the user is already logged in to my website in another browser window. I am not sure but i thing IE uses two different processes for two different browser instance and because of that i am not getting the session objects required. I can not ask the another website vendor to pass anything as a querystring.
I'm trying to dynamically create a url containing a FormsAuthenticationTicket that can then be emailed to a user who has forgotten their password. Then when the user follows the url they will be authenticated by the ticket in the url and be able to access the reset password page
I have tried creating a FormsAuthenticationTicket object and encrypting it but the string it produced seems way longer than the hash in the urls produced when using cookieless authentication.
that will be recongnised by cookieless authentication. But as I said the hash I come up with seems way to long and just not right at all.
you can see how long and different it is here by pressing the forgot password button..
[URL]
it says in the docs for FormsAuthenticationTicket that the encrypted ticket can be stored in a url. but I want to make it the same as those used by cookieless authentication so that it is recognised straight away.
I'm not using the Membership framework built into .NET but I'm using FormsAuthenticationTicket to make sure user is logged in. I have an object for my users in my application -- let's call it MyAppUser object. Can I save this in the FormsAuthenticationTicket as opposed to saving some string?
If I can't do that, I can save the object in session but I'm a little worried that session and FormsAuthenticationTicket will get out of synch.
I assume that any Role information is being stored in the FormsAuthenticationTicket in the UserData (delimited by some character).Second, I assume that any information in the Profile is not stored in memory / session anywhere, but when you do call the profile.VARIABLE, you are in fact doing a call to the DB (although it's simplified by the fact that it knows who you are when calling etc).Assuming the above is correct, I'm trying to complete a custom membership provider. As part of this each user will have a single role. So using a full blown role provider seems to be overkill. I assume that I can write the single role into the UserData in the FormsAuthenticationTicket myself?I would like to also store a number of other small bits of information in the ticket (such as a GroupId, VendorId which are seperate from the user / role). If I wanted to do this, and the role is held in the userdata, how would I identify what is a role and what is someother persistant data I need on the application?I could use Session items for these, but this might cause issues with the web-farm, plus the amount of data is very small (3 or 4, int32 values and maybe one string).Finally, items such as Address, PostCode, Contact Phone number all seem sensible items to place in the profile ( I'm using the table provider). Is the advantage here purely the ease of access? This isn't commonly used data, so if there is a round trip to the db thats not an issue really in this instance
I'm authenticating my users using the following code for the login event:
[Code]....
The following code runs in global.asax at Application_AuthenticateRequest:
[Code]....
Everything works great so far. Next thing that I need to do is add additional user information to the forms authentication ticket using user profile. When I try to add it right after the login code above, I end up getting an error message about anonymous profile. On the other hand, HttpContext.Profile is read only and doesn't seem to work. Is there any workaround for this?
I have a web application developed using VB .Net 2003, and is running ASP Net 1.1.
The application is running fine on all browser, except for the login/authentication control that doesn't work properly on Chrome.
We have different types of users using the website, and each user type has different menu items displayed for.
The problem is, if a user logs on with let's say Admin account, and logs off and later logs on again using student account, the user still gets the Admin menu, and of course vice versa.
I'm not sure if I'm doing something wrong, or there is something I'm missing here.
On more thing, if the timeout period reached, and the session was timed out , and the user (regardless of the type) tries to log on again, he is successful on all browser except on Chrome again!, where it keeps telling the session was timed out, and never logs on again until clearing the cookies.
I have a testproject and the forms timeout specified in web.config overrules the timeout which I set in FormsAuthenticationTicket. According the documentation, the timeout (expire date) in FormsAuthenticationTicket must override the timeout in web.config.
Documentation found on:
[URL]
[Code]....
Here is my code:
Web.config:
[Code]....
Login.aspc.cs:
[Code]....
Now, when I login, i get redirected after 1 minute of inactivity. This isn't supposed to happen, right? I have to be redirected after 2 minutes.
User 1 logs in the domain. User 1 changes some data without saving it. User 2 logs in the domain in a separate tab. User 1 switches back to his tab and saves the data. User 1 actually saved the data into User 2!!
This is caused by the following mechanism:
Different tabs in the same browser seems to share the same session id. We are storing user auth in cookie and the cookie is shared between tabs (same domain)
Therefore, when User 1 request to save, it is recognized as User 2 since the cookie has been updated to User 2.
So I'm wondering if there's any other methods to prevent this from happening, other than:
1. Use cookieless session so the session is embedded in uri.
2. Always include a hidden field in page to indicate which user owns the page.
I'm using Forms authentication in my application but I'm not using the Membership that's built into .NET.
How do I automatically send user to login page when his/her FormsAuthenticationTicket expires? I just don't want a user log in and leave a page on their computer screen long after their session has expired. I'd like to make sure that as soon as the user's FormsAuthenticationTicket has expired, I send them to login page.
1.) What is the name of the OS process in which App Domain resides.
2.)if suppose There are Three Windows application hosted on a same envoirment and two instance is working for each application at a Time, means now total instance are six .what will happen among the below written cases :
a.) There will be six different app domain in a single OS process
b.) There will three app domain(one for each application) in a single OS process and some Parallel thread will be executed in each app domain for another instance.
c.) There will be Three OS process corresponding to each application.
3.) If eveything will remain same except there are three web application in place of windows in point 2, will there be any change in functioning.
In web application I'm using devexpress toolkit, and have the right (correct) result in IE only (using also some java-script), on clicking event for example is working in chrome and safari, but in Firefox and Opera not The grid view are not showed properly in division in any other browser, except IE!
when i browse from IE and put a breakpoint here it returns true.But in FF the same code returns false.Its happening only for a UNC.It returns true for a local path(eg Directory.Exists(@C: est).
when i click the link button in Masterpage the window has to close. This function is working properly in IE but in fireFox or chrome or Safari Other than IE in all browsers postback is happening.
I have a dropdown list placed in Update Panel the issue is that when i am trying to make selection from the dropdownlist i am not able to select the items under it(i.e. after clicking on the dropdownlist the items get displayed but when i move the mouse over it the dropdownlist gets closed).
This issue is observed in Fire Fox only (works fine in IE and Google Chrome).
The web app in question provides a UI for editing a client (in the business sense, not the browser sense), identified by a ClientID. I store the ClientID in Session, which gets passed from page to page, along with a number of other pieces of data in Session. Works great.
The problem is that if the user opens a new browser window using Ctrl N or File->New Window (in IE), the new window comes up with the same page as the current page, with the same session info. Then if the user navigates to a different client in the 2nd window, the ClientID in session refers to the new client. If they go back to the original browser window and save, the original client gets saved using the 2nd ClientID, and all hell breaks loose, because now the data from the two jobs are intertwined.
I have enabled trace and verified that the new browser window uses the same SessionID as the original. If an entirely new instance of IE is opened, it has a different SessionID, so is not a problem. I have not yet investigated other browsers, such as Chrome or Firefox.
Is there any way to determine if a browser instance is opened for a web app which is already open in another window or tab? Or to prevent that from happening?
The function window.opener.location.reload(); is working fine with IE but not refreshing parent page in mozilla firefox browser. how to refresh parent page in cross browser/browser independent.
I'm trying to learn the ropes of ASP.NET MVC and so far so good. One thing which I haven't seen addressed yet is the 'right' or most elegant way to pass multiple data models to a view. To help put the question in context, take this example: Say I was making a blog. When I log in I want the home screen to display a list of all new unapproved comments, as well as a list of recently registered users, and a list of the most recently submitted blog posts.
Most discussions I've seen suggest strongly-typing the view page so it can be called with something like "return View(RecentComments)" and iterate through the comments in the view, or to cast the data model like "var NewUsers = (MembershipUserCollection) ViewData.Model". What I'm ideally after is the 'right', or at least a 'right-enough', way of passing multiple models while still maintaining appropriate logic separation.
I have 3 Databases that I am pulling data from for my web site. 2 of the databases are in the same SQL instance, however the 3rd one is in a different SQL instance. Both of the SQL instances are installed on the same server, one of them is a Named instance and the other is installed under the default instance. So my connection strings look something like this:
I'm in the process of moving this application from the Development Server to the Production Server when I noticed this issue. Previously the ABC and BCD connectionStrings where pointing to a different server and instance. So my question is how do I get this wo work with the server names being the same but the instances being different?
Im trying to implement an unit of work pattern by passing an unit of work instance into my repositories.
Relevant code from Global.asax.
[code]....
What i want is that a maximum of 1 instance of SqlUnitOfWork is created per request and is passed into my repositories (via their respective constructors).
Is the InRequestScope() method on the IUnitOfWork binding enough? If not how can i achieve this?
i have to use two different Ajaxfileupload controls in a page .But when i upload file through second control the second event doesnot get fired(UploadComplete) everytime first event is fired.
