tags:

views:

961

answers:

3
Q: 

How can I prevent all Firefox browser instances from using the same authentication cookie?

I implemented Forms authentication by creating Default.aspx and custom login page named login.aspx. If unauthenticated users brows to Default.aspx, they are redirected to login.aspx, and only if match is found for the supplied credentials, is user redirected to default.aspx.

  • But when using Firefox, it appears all browser instances use the same authentication cookie instance, and thus if user in browser B1 logs in as user U1, then all browser instances visiting that web application will be logged in as user U1. So if for example browser instance B1 requests Default.aspx for the first time, it will immediately be granted access.

  • If, after I logged in as user U1, I surf to login.aspx and log in using different username (say user U2), then on postbacks all browser(previously logged in as user U1) will now be logged in as user U2.

How can I prevent this sort of behavior so that each browser instance would receive its own authentication cookie?

+4  A: 

Each browser instance will have its own set of cookies. And history. And bookmarks. Because each running instance will need to be attached to its own profile.

Any given instance can have multiple tabs and windows open however. And those will share cookies. If that doesn't work for you, then don't use cookies...

If you just want this to make testing easier, why not set up a separate testing profile and launch a separate instance of Firefox attached to that?

Shog9  2009-05-02 23:52:12
Why would a separate instance have its own set of cookies? In general, if I go to a site, and it sets a cookie, I can then reboot the computer, and my browser will send the same cookie back. How much more so for two browser instances with no reboot in between?
John Saunders  2009-05-03 00:02:39
@Shog9: What's a profile?
John Saunders  2009-05-03 00:06:34
A set of configuration and state settings for Firefox. By default, there's only one for each user on the machine who has used Firefox - named "default", and stored in their user directory. But you can create more...
Shog9  2009-05-03 00:08:19
Interesting. It sounded like you meant something specific to Firefox, and not Windows profiles. But I can't see how to create a new profile from Tools-Options. Can you say how to create a separate profile?
John Saunders  2009-05-03 00:12:42
Launch firefox.exe with the -p option, and it'll let you manage profiles. To launch a new instance when one is already running, use the -no-remote option. To load a specific profile, pass the name of the profile after the -p option. So, my testing shortcut looks like this: firefox.exe -no-remote -p "test"
Shog9  2009-05-03 00:16:42
+3  A: 

A quick experiment showed me what Shog9 is implying. Start Firefox. Then start another "instance" of Firefox. Then look in Task Manager, and you'll see that you only have a single firefox.exe process running.

I presume he means that you have never actually seen two instances of Firefox. You've only seen the same instance running two windows. Naturally, those share the same cookies.

I presume this implies that in order to actually have separate instances, they'll have to run under separate logins or perhaps user profiles, and they will have separate sets of cookies.

EDIT: some resources on profiles in FireFox:

John Saunders  2009-05-03 00:10:25
I started two "instances" of Firefox and then checked Task Manager and indeed there's only one instance present. IE on the other hand does start new instance and not just new window(IE works as expected)thank you all for your help
SourceC  2009-05-03 19:06:02
+1  A: 

I second that your question is vaguely worded. Firefox allows you to have an arbitrary number of cookie sets. Each set must be part of a Firefox profile. Each profile can have an arbitrary number of windows and processes open (note, to avoid joining an existing process you must use no-remote).

I think you have been using multiple windows with the same profile, which are expected to share a cookie set.

Matthew Flaschen  2009-05-03 02:21:03

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps