Authentication problem or error
There are 3 web applications.
Site A and B are both an ASP.NET web application with FormsAuthentications configurations, and a secure folder on site B, which is also configured correctly in the web.config file. Site C is a classic ASP Web site that maintains session-authenticated status.
Now consider the following steps:
1. On the page of site A there is a link with target = "_blank" and a link to the protected folder of site B;
2, click this link, you should open site B in a new browser window and redirect to the login page;
3, login with your credentials, then go to the secure page, generally now you can view this page of site B, of course
4. Now close the browser window that displays the protected page of site B, you can click the close browser button or press Alt + F4;
5.Then click the link on Site A again, you can now access the secure page of Site B without logging in again.
6, There is another link also with target = "_blank" on site page A and a link to the secure page of site C, site C is an ASP site;
7, first open the secure page of site C, registration in the right place is required;
8, Registration on site C, and you can of course view the protected page, and then close the browser;
9, click the link to site C again, you can already authenticate to site C.
Unfortunately. there are already 10 steps, I think it is boring, but they really make me feel confused for days.
Does anyone know about this issue? Many thanks.
source to share
ASP and ASP.NET use a session cookie that is stored in the memory of the browser process. Opening a new browser window from a link does not start a new process, it just opens a new window that belongs to the same process as the original window.
Closing the window does not "bring up" the session, because the session cookie will still be in the process memory, when another window visits the site, then an existing session cookie will exist, hence from the point of view of sites, this is still the same thought, and this correct guess about how to draw.
Edit . The question arises in the comment "How to avoid it". The best answer would be: don't avoid it, absorb it as normal work, and keep the bucket busy.
What you are asking for is a means of detecting that none of the windows are currently displaying content for a particular application. It's really hard. Even if you only have one application window (which cannot be guaranteed), you must ensure that all pages capture the onunload event on the window, informing the server that the application has logged off.
If it is critical that users be able to log out of the application, then this is best accomplished by providing a link to each page in a generic header, like this page you are looking at right now.
Typically a session in ASP is marked as "registered" by storing some sort of token in the session object. Pages that are part of this app will validate this token and if it is not redirected to the login page.
To log out, the session value is removed and the client is redirected to the login page.
ASP.NET FormsAuthentication has SignOut and RedirectToLoginPage methods, and Forms Authentication automatically redirects the login page.
source to share
Use session.abandoned for window.close event, eg.
Create a function to be loaded in the header and window.close catch event. Don't forget to check if the previous page is from the same domain / IP. Since your user might forget to log out and go to another site and then hit the back button ...
source to share