Chrome:cookie removed when user leaves page - asp.net-mvc

I have an ASP.NET MVC1 site where the user is logged in. He is logged in because he has a cookie ".ASPXAUTH" with a token value in it.
For payments the Users gets redirected to a payment provider. He is redirected to my site when he completed the payment process.
This usually was fine but since the 29th of june I got a lot of users who dont have a cookie when they get redirected to our site.
I cant reproduce this behaviour but I see a pattern: Most users that have lost the cookie have the recent version(20.0.1132.47) of Chrome on Windows.
Has anybody had issues like this in the last couple of days? I have no idea what the reason might be, but I suspect it to be a setting of Chrome that is changed now by lots of users or an addon that changes something.
EDIT
The cookie created by forms authentication is a session cookie. May be some browsers changed the way they detect a session. If I have a session cookie, close the browser and reopen it I still have the cookie.

Related

After a site rebuild on first login the session is destroyed after redirect

I am currently getting an issue after an ASP.NET MVC 4 site is rebuilt that I was not getting previously.
We log in to a 3rd party site that redirects to our site with an authentication payload. A Session_Start is hit and the payload is successfully processed and a Session variable with the users details is created. We then do a RedirectToAction to send the user to another page.
On the first login after the site has been rebuilt Session_Start is hit again and a new Session is being created on the Redirect where previously it was not doing this. As our site checks for and treats an invalid session as being incorrect it sends the user back to the 3rd party site to log in again. When next they login they do not get this issue.
This looks to be happening when the site recycles as well. It only occurs for the very first user that logins to the site after its been rebuilt.
This only began happening in the last 2 weeks and I have reviewed any changes that went into the site in that time but could not find an obvious cause of the issue.
Any help would be appreciated.

ASP.NET MVC ActiveDirectoryMembershipProvider user stays logged in even when password has changed

I am using ActiveDirectoryMembershipProvider in my web app. I authenticate users with their domain credentials like so
if (Membership.ValidateUser(m.Username, m.Password))
FormsAuthentication.SetAuthCookie(m.Username, true);
This works well.
But even when the user's password is changed in active directory, the user stays logged in to the web app?
How can I ensure the user does not stay logged in to the web app if their domain password changes, or their account is disabled etc?
The answer is to periodically (every 30 minutes or so) check User.IsApproved and User.LastPasswordChangedDate to make sure the users credentials are still valid.
To do this you need to manually create the FormsAuthenticationTicket and cookie, rather than using FormsAuthentication.SetAuthCookie.
Put the date you validated the user inside UserData and compare this against LastPasswordChangedDate.
I've implemented this and it works perfectly.
More information here
Check if Active Directory password is different from cookie
I'm not 100% certain, but it sounds like you're unhappy that the user's auth ticket continues to work even though their password changes / account expires.
Once a user has logged in and has a authentication ticket (cookie), the user is not challenged for authentication again until until the ticket expires (set in the web.config file). Here are 2 suggestions for dealing with this problem:
Wait for the auth ticket (cookie) to expire. Upon the next login, the user will
be required to use their new password. Variations of this solution include using session-only cookies so that the user must always login when the browser is closed (recommended for AD authentication).
Write an Http Module that looks for a list of recently updated users and inspects the auth ticket early in the HTTP pipeline. If an auth ticket comes through and matches the list of updated users, you exprire the user's cookie and re-direct them to the login page. Here's a similar question that would help get you started:
How can I force a logout of all users on a web site

Cookies getting deleted from browser on exit (Spring Security 3.1)?

I am using Spring Security 3.1 to handle login authentication, session timeouts and maximum sessions.
Also I am deleting cookies only on logout.
<logout delete-cookies="JSESSIONID" logout-success-url='logout page' />
Also I have set maximum sessions to 1 as of now for testing.
When I open my webpage in browser, it stores jsession id in cookie but the problem starts when I exit and reopen my browser. At this time I cannot find any cookies in the browser, they get deleted that is why I am not getting redirected to welcome page(page after login).
But when I login again, it shows an error message that I am printing:-number of sessions exceeded.
This possibly means that session remains alive on server side but it gets deleted from the cookie on client side due to which I neither see the welcome page nor am able to login on the login page.
What else I need to do so that cookies remain there in the browser till the session times out? I have set session timeout to 10 days
This is normal behaviour. JSESSIONID cookies are only valid for the lifetime of a browser session so are gone when you close your browser. This isn't something you can change.
There is no connection between the browser's perception of a session and the lifetime of a session on the server. Unless you actually log out, the server session is still there until it times out and is removed by the server (10 days in your case). Until that happens, trying to log in again will exceed the number of allowed sessions.
If you want to stay logged in for 10 days, you might want to look at using remember-me cookies rather than the standard servlet container session.
Unless you have a definite requirement for restricting the number of concurrent sessions a user can have, I would avoid using that as it will just cause you problems. You haven't actually shown your configuration for this, but there are really just two options. Either a user can log back in again and the previous session will be marked as expired, or attempting to log in a second time will cause an error until the previous session has timed out, or the user logs out to explicitly invalidate it. The behaviour is controlled by the error-if-maximum-exceeded namespace attribute.

SessionID Shifts in IE8 Forms Authentication issue

Recently I noticed issues with the login process of a website I maintain.
When logging into the site with IE8 the .authuser cookie set by forms authentication shifts UIDs. This does not happen in any other browser I have tested. [ie6, ie7, ie9, FF6, FF7, FF8, Chrome, Safari]
User visits site. Clean browser session.
User is given a .authuser cookie with a UID
User goes to login page and logs in
User succeeds at login and is redirected
User is given a new .authuser cookie UID value
The biggest issue that comes from this is the fact that the login cookies set actually allow the user to return as 'partially authenticated' like on amazon. This means that the user can do all sorts of things on the site related to session, and when they log in using IE8, all that data is lost and corrupts certain processes in the site.

How do you cancel someone's persistent cookie if their membership is no longer valid?

I'm designing a small ASP.NET MVC site for a club. Generally, I want users to be able to stay logged in, but what happens if a user's membership has lapsed? Is there any way to "de-authorize" them so that next time they try to view a page, it redirects them to a page telling them their membership has lapsed?
If the timeout defined for the authentication cookie is hit it will no longer be valid and users will automatically be redirected to the login page. If you want to sign them out automatically under some circumstances you could simply:
FormsAuthentication.SignOut();
Why don't you make the expiration of the authentication cookie, the number of days that you want, or their membership expiration date, whichever is sooner, then you get the benefit of getting handled automatically
When you get the user's information from the cookie, you could add a check to see if their membership has lapsed and redirect them to that page.

Resources