Understanding web app authentication scenario - How do they force authentication on each new browser instance?_问答_开发者

Understanding web app authentication scenario - How do they force authentication on each new browser instance?

开发者 https://www.devze.com 2022-12-14 04:42 出处：网络

I use a web application that forces you to reauthenticate with the application even if you ope开发者_高级运维n a new browser window that shares the same session, e.g. File, New Window in Internet Expl

I use a web application that forces you to reauthenticate with the application even if you ope开发者_高级运维n a new browser window that shares the same session, e.g. File, New Window in Internet Explorer. I was surprised since I thought that if you opened a new browser window from File, New in both IE and Firefox (vs. starting a new browser process) that it would share the same session.

Using an Internet Explorer cookie viewer/editor, I saw no cookies for this application at all.

How do they likely implement this forced authentication scheme that seems to disallow new browser windows from continuing the session?

One common approach is to pass a session ID in the URL.

For instance, asp.net uses this approach for cookieless sesssions. URLs within the application are rewritten to contain a session ID.

there are two possibilities for this:

it's session id stored in all <a href=''> , so clicking on link automatically sends some data to server.
Same, but with POST queries (hidden form fields)