This morning me and my co-worker went on discussion about storing auth cookie when RememberMe = false. MVC4 , Forms Authentocation, C#.Net, Visual Studio 2012, IIS 7.5 , InProcess Session User LogsIn,(RememberMe = false) and Navigates to an item in the app.Default session timeOut was set 30 mins, User Copied the URL and Closed the browser(IE9) Opened new browser(IE9) and Pasted the Copied URL, UI redirected to loginPage. Here I say session created in step 1 is still valid., On close of the browser , browser lost the AuthCookie. He says that that Session is created based on browser session also. I'm bit confused. Please let me know what actually happened. Sorry for the bad English

asp.net.netauthenticationasp.net-mvc-4

Nash

Reputation: 531

Forms Authentication on browser exit

This morning me and my co-worker went on discussion about storing auth cookie when RememberMe = false.

MVC4 , Forms Authentocation, C#.Net, Visual Studio 2012, IIS 7.5 , InProcess Session

User LogsIn,(RememberMe = false) and Navigates to an item in the app.Default session timeOut was set 30 mins,
User Copied the URL and Closed the browser(IE9)
Opened new browser(IE9) and Pasted the Copied URL, UI redirected to loginPage.

Here I say session created in step 1 is still valid., On close of the browser , browser lost the AuthCookie.

He says that that Session is created based on browser session also. I'm bit confused.

Please let me know what actually happened.

Sorry for the bad English

Upvotes: 1

Answers (2)

keyboardP

Reputation: 69372

I'm assuming you're using the default Session-State Mode, which is InProc. A session generates a SessionID and this ID is stored in a cookie. This cookie is sent to the user and whilst requests are made with that cookie, the session is alive. The ID itself identifies the unique browser, which is why you can log into the same website with different accounts when you use two different browsers at the same time. However, you can't sign into different accounts from different tabs of the same browser (unless the website has specifically customised their site to support that feature).

By closing the browser, this cookie is deleted, and so the session will be ended when its timeout period has been reached. The reason you're taken to the UI page is because the new cookie you have no longer has the same session ID so, for all intents and purposes, you're a new user.

Upvotes: 0

Forty-Two

Reputation: 7605

RememberMe = false means the authentication cookie that was issued to the user was NOT persistent (the expiration of the cookie is set to "SESSION"). That is, the cookie is lost when the browser session ends. RememberMe = true means a persistent cookie is created and is saved across multiple browser sessions(the expiration of the cookie is set to a specific date, usually configured in web.config).

Read the documentation here

Upvotes: 3

Forms Authentication on browser exit

Answers (2)

Related Questions