Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’m using vanilla forms authentication. If I have multiple sessions open as the same user, and I change the password in one session, the other session still authenticates.
I would expect that the second session would prompt me for my credentials again.
Would I have to write the hashed password to the cookie and check that on each request to obtain this functionality?
Seems like a security hole to me.
This is expected behavior. FormsAuthentication stores the user information only (with some other data to validate that the server in fact produced that cookie). The cookie itself is the valid credential (or ticket or claim). If you are concerned about this you should reduce the time the forms cookie is valid for or potentially phone home even more often to ask the server if a password change has occured and if so execute the FormsAuthentication.SignOut() action to force a re-login.
Maybe not what you want FormsAuthentication to do, but what it does.
Hope this helps.