This is an issue I brought up probably a year or so ago, got some advice,
then was sidetracked on the project until now. So, here I am again. ;o)
The situation is that we have an older chunk of code I've been tasked to
maintain 'as-is'. It's a CMS we wrote in ASP.net 1.1 about 4 years ago.
It works.
But we have one major issue and that's when people log in, maybe 5% of the
time, the end up with someone elses credentials. There's multiple things
we're likely doing wrong here, so I'll try to explain all the variables that
would effect this and then ask some specific questions:
- a user logs into one of 3 separate apps
- login function is called, which checks their credentials in the DB and
then writes a cookie with their credentials
- every page in the CMS (regardless of which of the 3 apps they are in)
loads a usercontrol onto the page. This usecrontrol then reads said cookie
and sets the value of various PUBLIC SHARED variables.
Things that I know are bad:
- the fact we used 3 apps. This should be one app.
- we're storing credentials in a cookie. Quite insecure (though not the end
of the world in this case)
- the way I'm reading in the cookie data
What happens:
- most of the time, nothing. But, once in a while you can tell that a
person has just logged in and from the time they hit LOGIN to the time the
server sends them their web page, someone else has done the same and the
usercontrol reads in the data of SOMONE else's cookie. If the end-user
refreshes the page, then they're back to their cookie.
What I could do:
1) rewrite the app in asp.net 2.0 and use the built in permissions/roles
system
2) have the cookie only write out their logged-in status and their
username, then check that against the DB each time
3) Not use cookies but session state instead?
4) Fix my bad usercontrol/Public Shared variables?
Option 1 and 2 are out as I'm supposed to be touching this code as little as
possible.
Are option 3 and 4 viable? What, exactly, is causing my issue (cookie data
being sent to the wrong user?) Is it as simple as fixing the way I'm reading
the cookie? Is it better to use session state?
IIRC the last time I went through this, the main issue is the 'SHARED'
variable, which allows every instantiation of it to be 'the' most updated
version that everyone reads. However, I can't remove SHARED as I can't then
access that property from the page that loads the usercontrol. I'm pretty
sure this is all due to me not having a full grasp of OOP and therefor not
creating a new instance of the class I need.
_Darrel
5  1091 
your problem is the shared variables. they are shared for all users, so if
one user request changes them, then they are changed for all users.
it sounds like they are set at the begin of the request, so as long two
people do not hit the site at the same time, you are ok.
you can fix the site by removing all shared variables, or add a lock, so
only one user at a time can use the site (this may be the easiest, as load
does not appear to be a problem)
-- bruce (sqlwork.com)
"darrel" wrote:
This is an issue I brought up probably a year or so ago, got some advice,
then was sidetracked on the project until now. So, here I am again. ;o)
The situation is that we have an older chunk of code I've been tasked to
maintain 'as-is'. It's a CMS we wrote in ASP.net 1.1 about 4 years ago.
It works.
But we have one major issue and that's when people log in, maybe 5% of the
time, the end up with someone elses credentials. There's multiple things
we're likely doing wrong here, so I'll try to explain all the variables that
would effect this and then ask some specific questions:
- a user logs into one of 3 separate apps
- login function is called, which checks their credentials in the DB and
then writes a cookie with their credentials
- every page in the CMS (regardless of which of the 3 apps they are in)
loads a usercontrol onto the page. This usecrontrol then reads said cookie
and sets the value of various PUBLIC SHARED variables.
Things that I know are bad:
- the fact we used 3 apps. This should be one app.
- we're storing credentials in a cookie. Quite insecure (though not the end
of the world in this case)
- the way I'm reading in the cookie data
What happens:
- most of the time, nothing. But, once in a while you can tell that a
person has just logged in and from the time they hit LOGIN to the time the
server sends them their web page, someone else has done the same and the
usercontrol reads in the data of SOMONE else's cookie. If the end-user
refreshes the page, then they're back to their cookie.
What I could do:
1) rewrite the app in asp.net 2.0 and use the built in permissions/roles
system
2) have the cookie only write out their logged-in status and their
username, then check that against the DB each time
3) Not use cookies but session state instead?
4) Fix my bad usercontrol/Public Shared variables?
Option 1 and 2 are out as I'm supposed to be touching this code as little as
possible.
Are option 3 and 4 viable? What, exactly, is causing my issue (cookie data
being sent to the wrong user?) Is it as simple as fixing the way I'm reading
the cookie? Is it better to use session state?
IIRC the last time I went through this, the main issue is the 'SHARED'
variable, which allows every instantiation of it to be 'the' most updated
version that everyone reads. However, I can't remove SHARED as I can't then
access that property from the page that loads the usercontrol. I'm pretty
sure this is all due to me not having a full grasp of OOP and therefor not
creating a new instance of the class I need.
_Darrel
you can fix the site by removing all shared variables
That's what I thought. What I'm not so sure about, though, is what to
replace them with.
If I removed the 'shared' declaration, I can't access the variable in the
control from the page that is loading it.
or add a lock, so
only one user at a time can use the site (this may be the easiest, as load
does not appear to be a problem)
Not sure what you mean by that. Do you mean if someone is using the CMS,
block anyone else from using it?
-Darrel
Create properties on the control. Then, in the page, you can access the
properties in the control and set them. The timing is important as if you
set them in the Page_Load event of the page, they won't be available in the
Page_Load of the control since it fires at a different time. The OnPreRender
method of the control will be able to read the properties set by the page in
a Page_Load event. If the code that handles the variables is loaded earlier,
then you can access them earlier in the control's event lifecycle.
Hope this helps,
Mark Fitzpatrick
Microsoft MVP - Expression
"darrel" <no*****@nowhere.comwrote in message
news:#D**************@TK2MSFTNGP05.phx.gbl...
>you can fix the site by removing all shared variables
That's what I thought. What I'm not so sure about, though, is what to
replace them with.
If I removed the 'shared' declaration, I can't access the variable in the
control from the page that is loading it.
>or add a lock, so
only one user at a time can use the site (this may be the easiest, as
load
does not appear to be a problem)
Not sure what you mean by that. Do you mean if someone is using the CMS,
block anyone else from using it?
-Darrel
Create properties on the control. Then, in the page, you can access the
properties in the control and set them. The timing is important as if you
set them in the Page_Load event of the page, they won't be available in
the Page_Load of the control since it fires at a different time. The
OnPreRender method of the control will be able to read the properties set
by the page in a Page_Load event. If the code that handles the variables
is loaded earlier, then you can access them earlier in the control's event
lifecycle.
good old properties. so, I assume properties don't have the 'shared' issue
with them being shared across the application by each user? If so, that
certainly sounds like the best 'band aid' solution for this project until it
can be rewritten.
-Darrel
That's correct. Properties aren't shared. What is typically done is to store
and save the property using the viewstate of the control like so:
public string MyProperty
{
get
{
if(ViewState["MyProperty"] != null)
return ViewState["MyProperty"] .ToString();
else
return string.empty;
}
set {ViewState["MyProperty"] = value; }
}
You can do more complex types by using a cast. For example, here's a boolean
with a default value of False if it hasn't been set.
public boolMyBooleanProperty
{
get
{
if(ViewState["MyBooleanProperty"] != null)
return (bool)ViewState["MyBooleanProperty"]
else
return false;
}
set {ViewState["MyBooleanProperty"] = value; }
}
These definitions will go within each control that needs them. You may find
it easier to create a new base class that inherits from the UserControl
class for the user controls that would have these properties already
defined. That way if most of the controls need the same properties on each
of them you can just inherit from this new base class instead of having to
define the properties in all your controls by hand.
Hope this helps,
Mark Fitzpatrick
Microsoft MVP - Expression
"darrel" <no*****@nowhere.comwrote in message
news:Oj**************@TK2MSFTNGP02.phx.gbl...
>Create properties on the control. Then, in the page, you can access the
properties in the control and set them. The timing is important as if you
set them in the Page_Load event of the page, they won't be available in
the Page_Load of the control since it fires at a different time. The
OnPreRender method of the control will be able to read the properties set
by the page in a Page_Load event. If the code that handles the variables
is loaded earlier, then you can access them earlier in the control's
event lifecycle.
good old properties. so, I assume properties don't have the 'shared' issue
with them being shared across the application by each user? If so, that
certainly sounds like the best 'band aid' solution for this project until
it can be rewritten.
-Darrel
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: windandwaves |
last post by:
Hi Gurus
I am basically sorry that I have to bother you about this. I am a PHP
beginner and I have been studying sessions and cookies over the last few
weeks. I have learned lots, but I am...
|
by: David McNab |
last post by:
Hi,
I'm writing a web app framework which stores pickles in client cookies.
The obvious security risk is that some 5cr1p7 X1ddi35 will inevitably try
tampering with the cookie and malforming...
|
by: Dan |
last post by:
I persist the login info using cookies so that a user doesn't have to login
every time they come to our website, unless they previously logged out.
Everything works OK on W98 SE, and Windows XP Pro...
|
by: Netanel |
last post by:
Hi,
I have a site that I developed in ASP / VBScript.
Some of the visitors are complaining that they can't get in into the system
(using the login form of-course).
My login form includes...
|
by: Michael Evanchik |
last post by:
Hello all, since i wanted to use ssl and its seems easy to do so with this
object. Im trying to login to a webserver (aol) for this example. But for
some reason, im packet sniffing with ethreal...
|
by: Lee Wilkie |
last post by:
Dear All,
I'm new to ASP.NET and have been developing a small app at work to test
Forms Authentication. When running on my development machine (using
http://localhost/TestApp/Login.aspx for...
|
by: Water Cooler v2 |
last post by:
I am practicing Cookies in .NET. Its working fine but when I want to
clear my cookies, the statement,
Response.Cookies.Clear
does not work. What gives?
Here's what I do:
|
by: john.lehmann |
last post by:
Attacked is a piece of code which first hits the login page
successfully and receives back login cookies. But then when I attempt
to hit a page which is restricted to logged in users only, I fail....
|
by: David R. |
last post by:
I'm writing my own login dialog and want to store the user's info in a
cookie (for the "remember login" option). Somehow when I try to retrieve
the cookie, it keeps telling me it's null. What am...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and...
| |
