1

We have a private site for customers. Clients often tell us that they see profile of another user.

Our authentication procedure looks like this: credentials -> check the DB table -> UserId saved in Session.

As I understand, the user somehow switches to another user's session. Can anyone name at least one possibility for it?

Yorik.sar
  • 5,269
  • 2
  • 20
  • 20
  • As you explain it, it should not be possible for user's to get each others' sessions. But perhaps you should post some code. – driis Dec 28 '09 at 11:40
  • If you could post some code, it might help. – RickNZ Dec 30 '09 at 00:16
  • Similar question here. Give it a try on the solution proposed there. http://stackoverflow.com/questions/1646274/asp-net-session-mix-up-using-stateserver-scary – Pedro Dec 28 '09 at 11:39
  • Thanks for guidance. Turned off output caching in web.config. Hope it'll solve the problem. – Yorik.sar Dec 28 '09 at 11:57

2 Answers2

2

When output caching is enabled on a page, the entire HTTP response is cached, including the response headers. That means the HTTP header that sets session cookies can be cached there, too.

Be sure to disable output caching on any page that sets user-specific cookies. Note that disabling kernel mode caching isn't enough -- the entire response is also cached separately by the ASP.NET runtime.

However, you can still safely enable client side caching on those pages, if appropriate (Location="Client").

RickNZ
  • 18,448
  • 3
  • 51
  • 66
  • I'm sorry but I can't find the way to switch off this output caching. Can you show me the door? – Yorik.sar Dec 29 '09 at 14:21
  • Do you have an `<%@ OutputCache %>` directive at the top of your *.aspx file? Or are you making any calls against the `Response.Cache` object in the code behind for the page or any controls or master pages it uses? – RickNZ Dec 30 '09 at 00:14
1

It sounds like you are saving profile data in static variables. Also, you should never implement your own authentication mechanism, but base it on the built-in asp.net forms authentication. There is already built-in support for sql server based authentication.

Klaus Byskov Pedersen
  • 117,245
  • 29
  • 183
  • 222