2

How can I sign in with a different account per tab in asp.net mvc 5 and Identity?

Is there a configuration that doesn't use cookies?

This is my configuration code:

' Enable the application to use a cookie to store information for the signed in user
    app.UseCookieAuthentication(New CookieAuthenticationOptions() With {.AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie, .LoginPath = New PathString("/Account/Login") _
        })
    ' Use a cookie to temporarily store information about a user logging in with a third party login provider
    app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie)
Improve this question
4
  • I think you forgot to remember that the web is by nature stateless, and has no idea of tabs. Why do you want to have a separate session per tab anyways? Commented Dec 1, 2014 at 18:25
  • Well. I need a functionality similar to gmail "Sign in with another account". It's possible implement something similar? Commented Dec 1, 2014 at 19:39
  • 1
    Sure it's possible to do that. Obviously Gmail has done it. But that's not creating another Session. Commented Dec 1, 2014 at 19:40
  • 1
    Google's multiple sign on actually links accounts. It's not creating a different session or anything. It's simply adding another account to the existing authentication and internally setting some flag about which of the linked accounts you're actually using at the moment. Commented Dec 1, 2014 at 19:47

1 Answer 1

Reset to default
6

This is not possible. The web is stateless: each request is a unique snowflake, unaffected by any other request made before or after. However, since logically some sort of state needs to exist for things like authentication, sessions were created to basically fake a sense of state.

To work, sessions have a server-side and client-side component. On the server, some persistence layer is employed to store user-related data tied to a token that uniquely identifies the particular session. On the client, a cookie is set with that token. When the client makes another request, all the cookies that belong to the particular domain in play are sent along with the request back to the server, which includes the cookie with the session token if one exists. Once the server sees this cookie in the request, it uses the token to look up the session from the persistence layer and restore the state the user had during the previous request.

The point is that this process is dumb. The client blindly sends any cookies the server sets back to the server with each request. And, if the server gets a cookie with a session token it recognizes, it blindly restores the state. There's no consideration for how many tabs are in play or even what the content of the cookie is (the client doesn't know and doesn't care that the cookie is being used to manage a session, authentication, etc.).

Long and short, there's nothing you can do to force a session per tab or window. On the client-side, you can open a different browser (which would not have the cookie holding the session token) or use something like Chrome's incognito mode (which creates a sandboxed browsing experience without any previously set cookies). However, those are choices the user makes, not the website.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.