0

When multiple users are logged into the website, the last logged in users details are visible to all previously logged in users. This is causing serious vulnerability issue.

I'm not using any session variables in storing user data instead, Once the user logged into my website, i'm keeping his acc details in helper class file like below. And in my all other pages, am using getting userdetails like UserData.userid, UserData.username etc...

public class UserData
    {
        public static int userid;
        public static string username;
        public static string useremail;

        public int user_id
        {
            get { return userid; }
            set { userid = value; }
        }

        public string user_name
        {
            get { return username; }
            set { username = value; }
        }

        public string user_email
        {
            get { return useremail; }
            set { useremail = value; }
        }
}
Ranjith Kumar
  • 13
  • 2
  • 1
    You actually have only one logged in user and that is the last logged in user. No matter how many instances of that class you instantiate, they all have the same userid. – nicomp Apr 13 '19 at 22:06

1 Answers1

5

You are declaring the fields of this class as static. This means that every instance of the class UserData will have the same values in these fields.
See here documentation about the static keyword and when you set these values you set the same values for every instance still around in your program.

You need to remove the static keyword, but given the fact that you don't really have any use for these fields you could remove them and simply change your class to use auto implemented properties instead 

public class UserData
{
    public int user_id {get;set;}
    public string user_name {get;set;}
    public string user_email {get;set;}
}
Steve
  • 213,761
  • 22
  • 232
  • 286
  • And since the OP isn't using session, they need to find somewhere to store the instance of this class that *isn't also* static itself – pinkfloydx33 Apr 13 '19 at 22:54
  • @pinkfloydx33 - any suggestion on how to do it ? – Ranjith Kumar Apr 14 '19 at 07:40
  • Any particular reason to not use Sessions? And is this Asp.Net MVC or ASP.NET app? – Steve Apr 14 '19 at 07:53
  • Hi @Steve. That was a customer requirement not to :-( . Its. Asp.Net MVC – Ranjith Kumar Apr 14 '19 at 07:54
  • There is a very long and descriptive QA here about the Session problem. https://stackoverflow.com/questions/23419011/is-there-a-best-practice-and-recommended-alternative-to-session-variables-in-mvc Cookie seems to be the answer – Steve Apr 14 '19 at 07:57