I understand that sessions are kept when opened in a new tab but is it possible to inherit the session when opening a new instance of IE7 or IE6?
For example, I opened a web application, if I opened a new browser and I went to the same URL, it will keep me logged in.
I think this is more related to cookies then sharing session between tabs or windows.
You have cookies from a site that retains some information about you. These are sent to the server when you connect to the same site within another window and you are identified based on the content in the cookie.
The following post presents some details, although I am not sure if you are asking "why?" or "how?" you are keept logged in... either way, it involves cookies on the client machine.
Related
I'm brainstorming a C# project to auto-login to a web portal when a hotkey is pressed. The username and password need to be securely sent to the web portal to login. I have created the hotkey and storage, and retrieval of the credentials, but I'm stuck on how to actually open the default browser and login.
Things I have thought about:
Sending hashed values in the URL (HTTP Get). This is great, because I can just call System.Diagnostics.Process.Start(loginUrl);. But, this creates a LONG URL and run the risk of copy and pasting the URL (I don't want the login URL to be portable or reusable).
Grabbing the COM object and sending into visible forms the creds, then hitting a hidden submit button. All while the current page shows some 'loading' splash. But, this requires grabbing the COM object of an open browser or creating one based on the default browser and hoping that browser compatibility allows me to access the DOM to set the text in the forms and it the submit button. (all hopefully through SSL, although I'm not sure how that will affect things from my end if at all)
I have seen examples on this site using WebRequest and WebResponse. But, do those actually give the commands to the default browser? Or does that make a connection right to the C# program. Becausewhat I really want is to "forward" the credentials to a browser like IE so it can login. Assuming the webpage that I am contacting is HTTPS, then that means I can send unencrypted credentials to the form since they will be secured over the internet? And the end user will not be able to copy the creds since they will be submitted to hidden forms right?
To conclude: I'm looking for a secure way to send credentials to a browser to use to log into a web portal without having to worry too much about browser compatibility.
Thankyou for your time and let me know if I can provide any more information.
I am working on a financial web application.
There is a client requirement that if user is logged in and already browsing the app. If he copies and pastes the browser url to another window. In another window, the user should get logged out.
I know http is stateless and there is no inbuilt browser mechanism (cookies etc) to solve it, this needs to be implemented by programming only. I guess people have already solved this problem. Do you know know possible solution to solve this issue?
Sadly, there is no solution.
The browser keeps the cookies and all of the user informations for all the Tabs & Windows you open. It will clear the datas (like cookies that ask to be removed after the session) as soon as you close ALL tabs and windows of your browser. Note that if the user use another browser, the behaviour your want will be respected — browsers dnn't (yet ?) share this kind of informations.
It is simply not possible to solve the problem with code, and you'll have to find work-around.
As a researcher, I've seen one of these solutions : de-auth the user on the HTTP_REFERER (Apache Env. Variable). As soon as the referer was not the application itself (except for the login form), the user was de-authed. But take care of it : the Referer is an info sent by the browser. And no information sent by the browser should be trusted :). The advice remains, if only you want to use Javascript. You'll find someone to use a JS-disabled-browser to bypass your verification.
That's why Application Development is not yet dead ;)
Cheers.
K.
I found that IE7 maintains same session for multiple tabs in a single browser window and thus doesn't support different sessions for different tabs in a single browser window. My client needs that the application should work perfectly in two different tabs in a single browser window. i think this is because of session and cookie problem. Is there a workaround for this.
Appreciate your help in this regard.
Thanks,
Manoja Swaro
Browser tabs share cookies (and not just in IE, in Firefox and the others as well), and the cookies contain the session ID.
You could switch to cookie-less sessions however this has security and usability concerns. URL based sessions are easily hijacked, and it breaks bookmarking as well, as each page has a unique URL per session.
IE7 doesn't maintain a 'session' as such, you're talking about a cookie with a session ID in it, I would guess. All browsers will have one value for a cookie, it doesn't vary by window/tab.
If you want a session ID to travel with the click trail, you're going to have to pass it from page to page, by (for instance) passing it as a URL parameter and ensuring that you add the parameter to the URL within the page. (Or do without a session.)
The real solution is to change your application so it doesn't assume each session has only one page. An application that can't be open in multiple tabs is broken.
This can be hard if this assumption is already deeply embedded in your code.
I use a web application that forces you to reauthenticate with the application even if you open a new browser window that shares the same session, e.g. File, New Window in Internet Explorer. I was surprised since I thought that if you opened a new browser window from File, New in both IE and Firefox (vs. starting a new browser process) that it would share the same session.
Using an Internet Explorer cookie viewer/editor, I saw no cookies for this application at all.
How do they likely implement this forced authentication scheme that seems to disallow new browser windows from continuing the session?
One common approach is to pass a session ID in the URL.
For instance, asp.net uses this approach for cookieless sesssions. URLs within the application are rewritten to contain a session ID.
there are two possibilities for this:
it's session id stored in all <a href=''> , so clicking on link automatically sends some data to server.
Same, but with POST queries (hidden form fields)
is there any solution how can i close the browser completely? I need this because I am using Single Sign On from other page and on that page it is written that only closing the browser will log out the user.
You can't close the users browser, but if you can identify the cookie which contains the session, you may be able to clear it. How you would do this depends on the language you are using.
In Javascript, you would have be operating on the same domain as the cookie you want to clear
var expired = new Date();
expired.setTime(mydate.getTime() - 86400);
document.cookie = "my_session_cookie_name=; expires=" + expired.toGMTString();
On the server-side, you can output headers to set or clear cookies. Depending on the users browser settings, you may be able to set cookies on 3rd party domains. Here's an example in PHP
setcookie ('my_session_cookie_name', '', time() - 86400);
//clear cookie for example.com
setcookie('my_session_cookie_name', '', time()-86400, '/', '.example.com');
No, you cannot.
that page it is written that only closing the browser will log out the user
If you could run JavaScript in the right domain (the Single Sign On server's domain), I bet that you can log the user out just by deleting the session cookie.
No you cannot force a user's browser to close without their permission.
Edit: Even though there are workarounds for some browsers, it is a bad practice and considered intrusive.
Atleast not in Firefox, otherwise it will be a big usability issue.
delete the cookies when you close the tab.
it's possible to close browser opened via javascript but since the user open the first browser it won't be possible to close all browsers.
your SSO should have some kind of logout function, it would be better. This function would clear the user cookies or clear the session on the server side.
If each SSO site is given its own cookie, you may need to log the user out of each SSO site individually. Hopefully each site has its own "log me out" URL and you can open a page with multiple iframes to each SSO site.
You can set them across domains, but
depending on the security settings in
the browser, they may be blocked, the
user may be prompted to confirm, or
they may be silently accepted. Here's
how you would configure Firefox to
block 3rd party cookies:
support.mozilla.com/en-US/kb/…
And how can I set them across domains?
Its very simple,
just add javascript
<td width="10%"><div align="center"><font color="#ffffff">Close</font></div></td>