tags:

views:

675

answers:

2
+1  Q: 

ASP.NET_SessionId cookie value does not allow multiple logins to the same web application from the same pc

We have a web application running on ASP.NET 3.5. It is viewed by the world as one URL but in reality there are multiple IIS boxes hosting the application controlled by a load balancer.

My problem is that it is a sensitive application with strict security controls around it, and that post authentication if you open another browser to the same application and log in as someone else, the second login overwrites the first logins' session id value in the cookie, and then the first window crashes.

Any idea how I can get around this?

+1  A: 

The session ID is placed in the cookie. If another browser window is opened and starts a second session the ID in the cookie will be replaced.

Also, logins should not be controlled via the session cookie. There is a Forms Authentication cookie for that purpose which is more secure as I recall.

Colin Mackay  2009-09-20 22:44:46
"The session ID is placed in the cookie. If another browser window is opened and starts a second session the ID in the cookie will be replaced." - This is exactly my problem, as for the Forms Authentication cookie, we have our own authentication server, and really cannot replace this in any easy manner.
JR  2009-09-20 23:56:57
A separate authentication server does not disbar you from using Forms Authentication. They still have to type their authentication details in a web page somewhere on your site?
Colin Mackay  2009-09-21 00:13:28
Or are you saying the other server authenticates the user then passes them to your site? (Like OpenID?)
Colin Mackay  2009-09-21 00:14:02
No, our site does the authentication, and stores all of it in a SQL database. The problem is that according to MS, by default they allow up to 20 different cookies per site on a pc, but we find that it only uses 1 and that causes heaps of grief for us.
JR  2009-09-21 01:10:21
But the session cookie will always be named the same (so that ASP.NET knows which cookie holds the session ID), hence the clash.
Colin Mackay  2009-09-21 01:27:47
+1  A: 

Most web applications only allow one session per PC. Try logging into Yahoo Mail, Amazon or Ebay twice on the same machine and you will find the same problem. So ASP.NET is pretty much designed around the idea that there is one login per PC. Although, if you have multiple browsers installed on a machine, you can generally log into apps more than once because each browser keeps its own cookie collection.

edit: You might want to try cookieless sessions, in theory they might allow multiple sessions per PC, although I haven't tried it. But cookieless sessions come with plenty of problems and limitations of their own.

In short, there may be some hacky way to do what you want to do, but it will probably be fiddly and cause other problems elsewhere, because what you are asking for goes against the grain of ASP.NET's core design.

codeulike  2009-09-20 22:45:22

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps