Does NonValidatingLoginModule support multi-users login? - ibm-mobilefirst

I started with the sample FormBasedAuthenticationProject which uses NonValidatingLoginModule.
I launched the app and login as testUserA. Works fine. Then I launched another new browser window intended to login as testUserB. But the app thinks I am logged in already and the WL.Server.getActiveUser returns testUserA. Just wonder does WL.Server support multiple users logged in concurrently?

A Browser's windows or tabs share cookies amongst themselves, which is why you say you are already logged-in after launching the web app in a new browser's window. For example, you can login to Facebook in window A, then open window B and you will still be logged in.
If you will test this in a device, this will not happen to you.
To "overcome" this "limitation" when testing in browser, you can:
Clear cookies before trying in window B
Try in incognito mode
Try in a different browser. For example, Safari and Chrome.


Login issues - need to type in PW every time I open the browser page

I keep on being logged out from a a website that I am using from my mobile (Iphone with iOS). Every time I close the tab of the browser, I need to login again. On other mobile devises, iOS too, the issue doesn't seem to happen.
Could this somehow be linked with my phone's cookie policy or so, that leads to sessions being deleted after closing a tab?

vue-authenticate not working on mobile browser: callback opens new tab breaking flow

I'm using vue-authenticate for social account authentication. It works perfectly on desktop browsers, but not android mobile (chrome/firefox).
When authenticating, the popup window opens and works correctly, but then the redirectUri (with the access token) opens in a new browser tab (not the origin tab), therefore losing state and breaking the auth flow.
How to work around this? thx

ADFS web authentication loop in IE

I have a mvc4 web app that sits behind ADFS 2.0 authentication, it's configured using the web.config file. The application can be visited by going directly to a URL or as an iframe inside of CRM 2013.
The application works in all (tested) browsers when visiting the URL directly, both redirection to login form and handing the user back to the web app with the proper information in the ClaimsIdentity.
However, when visiting the app as an iframe inside CRM2013, internet explorer goes into a continous login loop. You are asked to provide the credentials (which are the same as for logging in to CRM) and when you click ok you get redirected back to the same login page again, to my knowledge the app never receives the hand off.
In Safari, Chrome, Firefox, and Opera the users are able to log into the application inside of CRM as well as outside without any problems (I'd even go as far as saying that it works better than expected for these browsers).
Does anyone have any idea of what I can try or what the problem could be for IE?
I'm thinking it has to do with some security setting and am playing around with the settings in IE. Unchecking this box stops the login form from showing in IE at all and I get an empty page instead.
Is the iFrame on the same (sub)domain as the site inside? You can use Fiddler to view your redirect flow, are the cookies added as expected?
I've seen cookies that are overridden by the iFrame host, in that case you lose the auth cookie. Browsers react differently on same domain cookies.
Another problem might be X-Frame-Options, do you see any warning in the F12 console of IE?

Facebook Login Button Behaving Strangely

I am developing an application which on login page also supports facebook login with
I have set up two Apps on facebook:
one for localhost (Web site url http://localhost/, no App Domain)
one for testing server (Web site url, no App
When I am developing on my own computer click on login button operates as expected and I am logged into my application.
When I put my application to the server (change appid and secret to use 2nd App) and click login button the facebook login dialog opens and when I enter email and password it closes but my applciation does not log me in.
Whats more if I check on server I see that process which is handling this web request is constantly increasing memory size (3MB per second) and its taking 50% or more CPU time. If this process is not stopped soon the server becomes unresponsive becouse memory used by it is maximum possible and CPU time is 100%.
This happens as soon as facebook login dialog closes.
In my application I am using library facebook C# SDK from codeplex.
If anyone has any information on what I might be doing wrong O would greatly appreciate the answer.
Found the was not about facebook but .Net Framework. It appears that some versions of framework support parameter passing from dynamic objects and others don't.
So when i changed code from
dynamic fbuser = GetUserData();
dynamic fbuser = GetUserData();
object fbid =;
it started to work...dont really understand why sometimes even on the server it would work (after remote debugging it always worked until dll's were replaced but ...dont really care :) )
Thanks for all replies.
Sounds like an infinite redirect loop.
Check to see what your browser is doing using Firefox's Firebug or a built-in developer tool for Chrome, IE or Safari. I think there might be a setting wrong in your app settings, and by looking at the traffic it might help lead us to the culprit.

When should the authenticated user be reset?

In my web application, I have used the asp Login control to facilitate the login process. I have noticed that if I open the site in a browser and log in, and then open another browser and go to the site, then the second browser shows that I am already logged in, even though I didn't log in using that browser. I have noticed that some other sites (such as my bank's web access) work this way, but it still seems odd to me. I'm not sure if it's bad or not, but it is strange.
Is this behavior bad?
I have also noticed that if I close all of my browsers and then open a new one up and go to the site, I am NOT logged in.
This is because those sites use session cookies. If you open different brwosers at the same time, such as FireFox, Opera, Chrome and IE, you'll have to log in in all of the browsers independently. However, when re-using the same browser application, this usually does not spawn a new process with its own session data but rather re-uses the already open browser.
If you are using a browser that supports multi-tabbed sessions e.g. IE7+, Firefox etc, you will find that, if you have the same ASP.NET website open in multiple tabs, each tab will share the same authentication credentials. This is because the session ID applies to the browser instance, not the tab instance, so if a user logs in on 1 tab, then opens up another tab to the website, they won't have to provide their credentials twice.
I don't think there's an easy way around this behaviour. You could choose employ cookie 'munging', storing the forms authentication ticket on the URL, but this seems like a bad idea from a security POV.
Lucero and pmarflee are both correct.
To provide a bit more information though:
Firefox will share session between tabs and all browser instances
IE 8 will also share session between tabs and all browser instances
IE 7 shares session between tabs, but not across instances
IE 6 does not share session across instances
I'm not sure how Opera, Chrome, or Safari handle sessions.