authentication problem or bug

Question

There are 3 web apps.

Site A and B are both ASP.NET Web Application with FormsAuthentications configurations, and there is a protected folder in site B which also configured correctly in the web.config. Site C is a classic ASP web which keep authentication status with Session.

Now please consider the following steps:

1, There is a link with target="_blank" property on a page of site A and link to the protected folder of site B;

2, Click this link you should open the site B in a new browser window and redirect to the log in page;

3, Log in with your credentials then redirect to the protected page normally, now you can browse that page of site B of course;

4, Now close the browser window which shows the protected page of site B, you can click the close button of browser or press Alt+F4;

5, Then click the link on site A again, now you can access the protected page of site B without logging in again.

6, There is another link also with target="_blank" on a page of site A and link to the protected page of site C, site C is an ASP site;

7, First open the protected page of site C, log in is required exactly;

8, Logging in the site C and you can view the protected page of course, then close the browser;

9, Click the link to site C again, you can find yourself already authenticated on site C.

Oops. there are 10 steps already, I think these are boring but they are really make me confused for few days.

Anybody know about this issue? Great Thanks.

Answer 1

Both ASP and ASP.NET use a session cookie which is stored in memory of the browser process. Opening a new browser window from a link doesn't start a new process just opens a new window owned by the same process as the original window.

Closing a window doesn't 'logoff' the session because the session cookie will still be in the process memory, when yet another window visits the site the existing session cookie will be sent hence from the sites point of view this is still the same sesssion and that is the correct inferrence to draw.

Edit: The question is raised in a comment, 'How would this be avoided'. The best answer would be: don't avoid it, absorbe it as normal operation and save yourself a bucket load of trouble.

What you're asking for is a means of detecting that no windows are currently displaying content for a specific application. This really difficult to acheive. Even if you only have one window on an application (which can't be guaranteed) you'd have to ensure all pages trapped the onunload event on the window the informed the server that the application is being logged off.

If its critical that users have the ability to Logoff an application then that is best acheived by providing a logout link on each page in some common header as in this page you're looking at right now.

Typically a session in ASP is marked as 'logged on' by storing some kind of token in the session object. Pages that form part of that application would check for that token and if its not present redirect to a login page.

To logout the session value is deleted and the client redirected to the login page.

In ASP.NET FormsAuthentication has SignOut and a RedirectToLoginPage methods and Forms Authentication handles redirection to the Login page automatically.