473,327 Members | 1,930 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,327 software developers and data experts.

Security problem/issue ASP.Net

Hello,
I'm facing a big problem in an Asp.Net application, when
users connect the application, I store their user
informations into the session object (session_start).
But when 2 users click (nearly) at the same time on the
page myprofile, the first user sees his profile (the
correct one) and the second sees the profile of the first
(very bad).
the "HttpContext.Current.User.Identity" is not the
expected one.
web.config entries:
<authentication mode="Windows"/>
<identity impersonate="false"/>
<authorization>
<allow users="*"/>
</authorization>
<sessionState mode="InProc" cookieless="false"
timeout="20"/>
Any idea ?
Many thanks for your help.
Gilles
Nov 19 '05 #1
4 1251
HttpContext.Current.User.Identity represents the currently logged-in user.
If the web disallows anonymous authentication, this will (probably) be a
different user with each client. If anonymous browsing is allowed, the user
will always be the Anonymous Internet User account.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
Neither a follower nor a lender be.

"Gilles" <an*******@discussions.microsoft.com> wrote in message
news:24****************************@phx.gbl...
Hello,
I'm facing a big problem in an Asp.Net application, when
users connect the application, I store their user
informations into the session object (session_start).
But when 2 users click (nearly) at the same time on the
page myprofile, the first user sees his profile (the
correct one) and the second sees the profile of the first
(very bad).
the "HttpContext.Current.User.Identity" is not the
expected one.
web.config entries:
<authentication mode="Windows"/>
<identity impersonate="false"/>
<authorization>
<allow users="*"/>
</authorization>
<sessionState mode="InProc" cookieless="false"
timeout="20"/>
Any idea ?
Many thanks for your help.
Gilles

Nov 19 '05 #2
Thanks for your quick reply,

The Web Server is set to:
"Integrated Windows authentication"
and "Anonymous access" is disabled.
What else can I do to avoid this session mix ?

Thanks

Gilles
-----Original Message-----
HttpContext.Current.User.Identity represents the currently logged-in user.If the web disallows anonymous authentication, this will (probably) be adifferent user with each client. If anonymous browsing is allowed, the userwill always be the Anonymous Internet User account.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
Neither a follower nor a lender be.

"Gilles" <an*******@discussions.microsoft.com> wrote in messagenews:24****************************@phx.gbl...
Hello,
I'm facing a big problem in an Asp.Net application, when
users connect the application, I store their user
informations into the session object (session_start).
But when 2 users click (nearly) at the same time on the
page myprofile, the first user sees his profile (the
correct one) and the second sees the profile of the first (very bad).
the "HttpContext.Current.User.Identity" is not the
expected one.
web.config entries:
<authentication mode="Windows"/>
<identity impersonate="false"/>
<authorization>
<allow users="*"/>
</authorization>
<sessionState mode="InProc" cookieless="false"
timeout="20"/>
Any idea ?
Many thanks for your help.
Gilles

.

Nov 19 '05 #3
> The Web Server is set to:
"Integrated Windows authentication"
and "Anonymous access" is disabled.
What else can I do to avoid this session mix ?
I'm not sure. I haven't had to deal with this issue before. But if I'm
reading the SDK correctly, you need to set the "identity impersonate"
attribute to true. From what I've read, this enables "per request"
impersonation.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
Neither a follower nor a lender be.

<an*******@discussions.microsoft.com> wrote in message
news:14****************************@phx.gbl... Thanks for your quick reply,

The Web Server is set to:
"Integrated Windows authentication"
and "Anonymous access" is disabled.
What else can I do to avoid this session mix ?

Thanks

Gilles
-----Original Message-----
HttpContext.Current.User.Identity represents the

currently logged-in user.
If the web disallows anonymous authentication, this will

(probably) be a
different user with each client. If anonymous browsing is

allowed, the user
will always be the Anonymous Internet User account.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
Neither a follower nor a lender be.

"Gilles" <an*******@discussions.microsoft.com> wrote in

message
news:24****************************@phx.gbl...
Hello,
I'm facing a big problem in an Asp.Net application, when
users connect the application, I store their user
informations into the session object (session_start).
But when 2 users click (nearly) at the same time on the
page myprofile, the first user sees his profile (the
correct one) and the second sees the profile of the first (very bad).
the "HttpContext.Current.User.Identity" is not the
expected one.
web.config entries:
<authentication mode="Windows"/>
<identity impersonate="false"/>
<authorization>
<allow users="*"/>
</authorization>
<sessionState mode="InProc" cookieless="false"
timeout="20"/>
Any idea ?
Many thanks for your help.
Gilles

.

Nov 19 '05 #4
Thanks Kevin,

I'll try that tomorrow (it's 19h00 here in Belgium :) ),
but I'm quite sure I tried that
some time ago and it didn't work...
I'll let you informed.

Gilles

-----Original Message-----
The Web Server is set to:
"Integrated Windows authentication"
and "Anonymous access" is disabled.
What else can I do to avoid this session mix ?
I'm not sure. I haven't had to deal with this issue

before. But if I'mreading the SDK correctly, you need to set the "identity impersonate"attribute to true. From what I've read, this enables "per request"impersonation.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
Neither a follower nor a lender be.

<an*******@discussions.microsoft.com> wrote in message
news:14****************************@phx.gbl...
Thanks for your quick reply,

The Web Server is set to:
"Integrated Windows authentication"
and "Anonymous access" is disabled.
What else can I do to avoid this session mix ?

Thanks

Gilles
-----Original Message-----
HttpContext.Current.User.Identity represents the

currently logged-in user.
If the web disallows anonymous authentication, this will

(probably) be a
different user with each client. If anonymous browsing is

allowed, the user
will always be the Anonymous Internet User account.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
Neither a follower nor a lender be.

"Gilles" <an*******@discussions.microsoft.com> wrote in

message
news:24****************************@phx.gbl.. .
Hello,
I'm facing a big problem in an Asp.Net application, when
users connect the application, I store their user
informations into the session object (session_start).
But when 2 users click (nearly) at the same time on the
page myprofile, the first user sees his profile (the
correct one) and the second sees the profile of the

first
(very bad).
the "HttpContext.Current.User.Identity" is not the
expected one.
web.config entries:
<authentication mode="Windows"/>
<identity impersonate="false"/>
<authorization>
<allow users="*"/>
</authorization>
<sessionState mode="InProc" cookieless="false"
timeout="20"/>
Any idea ?
Many thanks for your help.
Gilles
.

.

Nov 19 '05 #5

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

28
by: grahamd | last post by:
Who are the appropriate people to report security problems to in respect of a module included with the Python distribution? I don't feel it appropriate to be reporting it on general mailing lists.
11
by: TC | last post by:
Hello All, I have recently had the pleasure of installing Norton Internet Security 2005 and finding that I can no longer create or open a web-based application in Visual Studio .Net. The IDE...
2
by: Joseph Geretz | last post by:
I'm having a credentialing problem in my web application. Actually, I don't think this is an IIS security issue, since I'm able to access the page I'm requesting. However, the executing page itself...
1
by: Earl Teigrob | last post by:
Background: When I create a ASP.NET control (User or custom), it often requires security to be set for certain functionality with the control. For example, a news release user control that is...
5
by: cdlipfert | last post by:
Our intranet is running under windows integrated security. We have domain users that want to access our intranet site via ssl vpn. SSL VPN can not authenticate against services that run under...
0
by: Charles Leonard | last post by:
I am having yet another issue with Windows Server 2003. This time, the web service (a file import web service) appears to run except for one odd message: "ActiveX component can't create object". ...
0
by: Jay C. | last post by:
Jay 3 Jan. 11:38 Optionen anzeigen Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements Von: "Jay" <p.brunm...@nusurf.at> - Nachrichten dieses Autors suchen Datum: 3 Jan...
5
by: Ankit Aneja | last post by:
This is my problem. I am using Visual 2003, .Net framework 1.1 and the Application Block I configured the DAAB using the Enterprise Library Configuration now this is the error which is coming ...
1
by: WebServiceSecurity | last post by:
The issue involves the following technologies: - 1. .NET 2.0 Framework 2. WSE2.0 (WS-Security) 3. X.509 certificates 4. BEA Weblogic 8.1.5
1
by: Edmund | last post by:
I hope someone can help me out set up the security properly. I have Microsoft Access 97 and Access 2000 in my computer and I developed my database with Access 2000 with the updated patch...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.