I was playing around with forms authentication and I noticed a problem if the user closes their browser instead of clicking the signout button on the website.
If a user shuts down the browser the forms auth cookie still exists when the load it back up even though it is a session only cookie and isn’t persisted. In the code behind in my masterpage I have the following.
Masterpage Code behind
protected void Page_Init(object sender, EventArgs e) { // if authenticated, initialize session if (Request.IsAuthenticated) { // set stuff } }
When I debug through it the first time it hits Request.IsAuthenticated it is false, then it hits it again and it is true. The problem is in the front-end page I have some checks to see if the user is authenticated and it is false when it evaluates those conditions.
Masterpage Front-end
<% if (Request.IsAuthenticated) { %>
<li>Admin Page</li>
<% } %>
Setting Auth Cookie
FormsAuthentication.SetAuthCookie(username, false);
web.Config
<authentication mode="Forms">
<forms
loginUrl="/"
name="ASPXFORMSAUTH"
timeout="360"
/>
</authentication>
Summary
- The forms auth cookie persists when a user just shuts / closes the
browser down even though it is not a persistent cookie - If a user has an existing forms auth cookie when they load up the
site the Request.IsAuthenticated check evaluates to false on the
first hit in the debugger and then true on the second. The front-end
page obviously checks these things on the first hit because they
evaluate to false.
Figured it out.
Appears to be a Firefox issue. Firefox use to allow users to save their tabs, but removed that feature. Saving tabs also saved any session cookies associated with tabs.
The setting in the about:config is
I am on firefox 11, so this should have been disabled by default, but my config somehow got corrupted and I had to reset it by using safe mode and restoring default settings. Now it works