Web Security In Ie Vs Chrome & Firefox (bug)

Why is the Web Security is working differently on different browser: Details: I have two applications One is a simple HTML application and another one is an ASP.NET MVC4 WebApi

Solution 1:

The issue is not with web security at all, it's with the way you implement your security. You should never be using a userid, email, or anything important in the cookies.

I would suggest you use the FormsAuthentication class to encrypt and decrypt your cookies, and even so, only store something such as the SessionID plus a custom hash of that session ID to verify your self when you decrypt the cookie

Here is a site that gives a pretty good example: http://www.c-sharpcorner.com/uploadfile/nipuntomar/update-formsauthenticationticket/

Solution 2:

There are 3 things around it:

WebSecurity.IsAuthenticated actually returns the value of HttpRequest.IsAuthenticated, which is true if the Forms Authentication cookie has been set and is current. It's not available until the user makes the next request after successfully logging in, which is why you are seeing the behaviour that you describe.

I remember reading on MSDN or someplace, the WebSecurity.IsAuthenticated does not work until the page is fully loaded. Meaning if you login a user in a page and in the same flow of code you check IsAuthenticated, it will NOT return True. For IsAuthenticated to be True the page has to be reloaded or use the better practice; which is to redirect the user to another secured page as soon as the login is successful and in that page check IsAuthenticated.

We had the same issue with Chrome (version 21.0.1180). Despite that we see expiration date on Header, some Chrome in Windows XP ignored it. Then we removed the Expiration Date and Chrome accepted keep the session cookie without problems.

So what to do is: After login try to check this on new page not on same page.

Also try to set cookie explicitly

System.Web.Security.FormsAuthentication.SetAuthCookie(user.Username, false);

Solution 3:

I don't know if this will help or not.

But I remember I was learning jQuery ajax So I setup a simple project on my laptop. When I tested it, it worked fine on IE, but failed in Chrome. After searching for hours, I found that Chrome will not allow AJAX requests from the local machine. When I tested it using an actual web server it worked fine for IE and Chrome.

So my question and advice is: are you testing on the same machine? Try to deploy it to a machine running a web server with a unique domain name and test your application!