ASHX vs ASPX login

Question

I have a handler doing the authentication (because i use $.ajax jquery) but if i open two tabs in browser (eg. google chrome) the second tab dont know any of the sessions. I would like to remain with the same sessions in the browser, for if the user acidentily closes it, if it open a tab and remains there (for example).

EXPLANATION:

user inputs his data -> goes to -> handler.ashx -> do authentication -> goes to -> homepage

and if i open a new tab and write the url of my website it asks for me to login again, how can i solve this problem.

I've tried using a class.cs to store the session but it didn't work.

$.ajax

        function loginUser() {
            $("#alertError").hide();
            $mail = $("#login_mail").val();
            $pass = $("#login_password").val();
            if ($mail != "" && $pass != "") {
                var jsonData = {
                    "mail": $mail,
                    "pass": $pass
                }
                jsonData = JSON.stringify(jsonData);
                $.ajax({
                    url: "../handlers/users/login.ashx",
                    cache: false,
                    type: "POST",
                    data: jsonData,
                    success: function (data) {
                        if (data == "up") {
                            window.location = "/market/";
                            loadSlider();
                        }
                        else
                        {
                            $("#alertError").text("");
                            $("#alertError").html(data);
                            $("#alertError").show();
                            $("#login_password").val("");
                            $("#login_password").focus();
                        }
                    }
                });
            }
            else
            {
                $("#alertError").text("");
                $("#alertError").html("Full fill all the fields.");
                $("#alertError").show();
            }
        }

Answer 1

This is intentional behavior of the web browser. It is for safety/security reasons. If you open a new tab and enter a web address, the new tab should be completely unaware of any state on the other tabs. In contrast, if you open another tab by doing a ctrl+click on a web page, then the browser will open a new tab that is sharing the same browsing context. This would be one reasonable work-around to what you are trying to do.

If your goal is to open another browser tab and have it auto-login, you could accomplish this by using persistent cookies. However, you should be aware that this introduces a security caveat that could be exploited via XSS. Also, the new (auto-logged-in) tab will not be aware of other session variables because it will be using a different session.

There really is nothing that you could do in aspx or ashx that will trick the browser into sharing a session between two browser tabs (or browser windows, etc) that are not sharing the same browsing context. It would be a very big security vulnerability.

Answer 2

Are you deleting sessions at login page? And do you have this on your ashx?

public class YourHandleName : IHttpHandler, IRequiresSessionState 

Answer 3

HttpContext.Session contains the current user's browser session variables. Use it on the ASPX and ASHX code behinds to authenticate. On page reload you would check if the user is authenticated, else would redirect to the ashx handler.