Chapter 15 Role Management Question

will.wei · April 7th, 2009, 07:46 AM

Hey guys,

I got a question regarding the role management in ch15. On page 549's try it out section step 11, I tried to paste the management page url to the same explorer instance rather than do it on a new instance of explorer after logout but I was brought back to the management page without being required to login. Is the session spposed to be ceased immediatly when I logout? Why would I have to open a new explorer instance to bring me to the login page? A bit confused...

Imar · April 7th, 2009, 01:27 PM

When you have multiple Explorer windows, they share cookies. So while you're logged out in one, the other may still have the authentication cookie. Since it's a *client* log out, the server doesn't know you logged out in the other window.

By closing the browser, you can be sure no cookies are left, and you'll need to reauthenticate.

Cheers,

Imar

will.wei · April 8th, 2009, 02:02 AM

Thanks for your Reply, Imar!

I haven't looked into the way membership service implements logout function, but I guess session state is cleared up as soon as the logout button is clicked. I guess even if users cookies are used to store user information, logout is enough to expire the cookies on my computer, and any other explorers will lose the authentication too when sending a new request. I think closing a window is to cease a session rather than clear up cookies and persistent cookies are supposed to be cleared up by logout function.
Please correct me if I'm wrong.

Following your example on P548 step 10, Without checking the "Remember me" option, I suppose user state is kept by session state rather than cookies. In this scenario, when I logout, my session state is supposed to be ceased immediantly. However, when I paste the management url to the same browser without closeing it after logout, I can still access the management page.

Could you explain why that happens?

Thanks again for your time to solve my doubt!

Imar · April 8th, 2009, 04:26 AM

Hi there,

Sessions are not used in the site, so they are not involved here. Besides, they rely on cookies as well so the same rules with regards to expiration apply.

When you click the Logout link in step 11, then don't close the browser and paste the Management URL in the browser again, you *think* you can still access the page. However, as soon as you refresh the page using Ctrl+F5 you get the Login screen again. You are really logged out from the site's / browser's perspective, but the browser serves you a cached copy.

Instead of telling you to close the browser, I could have instructed you to refresh the page. However, in order to avoid confusion, and let you focus on the mechanics of logging in, I chose to let you close the browser.

For the record: forms authentication data is by default stored in cookies, and so are the roles.

Hope this clarifies things.

Cheers,

Imar

will.wei · April 9th, 2009, 12:07 AM

Hi Imar,

Thanks for the clarification!

Regarding the authentication cookies, I noticed that the first time I login(Without ''Remember me''), the server allocates me a ".ASPXAUTH" cookie which I figure is the non-persistent "authentication cookie" you mentioned. Strangely enough, this cookie is not sent to the server when a new request a sent on a new opened explorer after login.

Does this imply that the "authentication cookie" is not shared by different explorer instance and it's session-specific?

Wow..I found myself spending too much time trying to figure out how the membership is implemented. I will probably need to move on to finish this book first!

Great book btw!!!

Will

Imar · April 9th, 2009, 02:17 AM

It depends on the browser. Most browsers share cookies between tabs, but not between real instances of the browser.

You could install something like Fiddler and see what traffic is sent to the brwoser exactly.

Cheers,

Imar