How can I ensure user has logged into my system?

Question

I have a web application with 2 pages

1) Logon Page 2) aspx page that hosts a silverlight application

When my user logs in correctly I create a GUID which I then put onto the session. They get redirected to the page that hosts silverlight application. The silverlight page reads the GUID, performs some additional processing required, then shows the application. This works perfectly.

However if a new window is started up, the user can simply copy and paste the link to the silverlight page and it still all works. I was expecting the new window to have a new session, but for some reason it is able to use the same session as the previous one?

This is a security risk

What is the best way round this?

I have tried several approaches, like hidden fields, etc.

I do not want to have to put anything onto URLS

I use Response.Redirect to go to the silverlight host page. I cannot use server.transfer because I need the URL to change

Any ideas on this?

This is a C# web application.

Both the login and silverlight host page reside in the same web application if this helps?

Paul

Answer 1

ASP.Net Forms authentication sounds like your best bet

• http://www.asp.net/web-forms/tutorials/security/introduction/an-overview-of-forms-authentication-cs
• http://msdn.microsoft.com/en-us/library/ff647070.aspx
• http://msdn.microsoft.com/en-us/library/vstudio/7t6b43z4%28v=vs.100%29.aspx

As for the the sharing of sessions across multiple tabs/windows of the same browser, this is fairly standard functionality of the browser and, as far as I know, there is no way to circumvent it unfortunately. Note: the session is only shared for an individual user, and only within the same browser (i.e. same user on same PC, initiates a request to your web app with another browser, the session will not be shared)