9

I am analyzing a problem from an old asp.net site made by one of my colleagues who left the company some months ago.

The problem is that we a few times have expierenced that two users sessions are mixed up, so that if for example two users are logged in, one user sees the other users data. As it happens very rarely (once in a month or so) it is difficult to figure out what goes wrong.

I have now stepped through his code for authentication and it goes like this:

  1. The user enter username/password on public page and press submit
  2. On Page_Load on Masterpage the code checks in a mySql database that the username/password is valid, not expired etc and return a unique userid if ok
  3. The page then saves the loginpage in session like this (used for later logout): HttpContext.Current.Session(Consts.CCookieName_LoginUrl) = Request.RawUrl
  4. Then the userid is saved like this: FormsAuthentication.SetAuthCookie(userid, False)
  5. Then a redirect to the secure area is performed: Context.Response.Redirect(secureurl, False)
  6. In Page_Init of masterpage of secure area the userid is read by: userid = Context.User.Identity.Name
  7. the user data is loaded acording to the userid
  8. The user navigates the secure area, ie. step 6 - 7 is repeated
  9. The user suddently sees another users data

I have some ideas on what is going wrong, but would like to have some input before modifying the code, so please anyone?

Muleskinner
  • 14,150
  • 19
  • 58
  • 79
  • We too use asp.net forms authentication and have infrequent reports of this, we are never able to repro the issue and debug it unfortunately. I hope someone can add something more useful. – Matt Evans Jun 23 '11 at 03:42
  • 1
    Take a look at this accepted answer: http://stackoverflow.com/questions/6441182/aspx-global-instance-of-class-possible-bug-in-code-structure/6441357#6441357 I belive this solved our issue – Muleskinner Jun 23 '11 at 07:08
  • are you using any kind of caching? – Daniel Powell Jun 25 '11 at 11:51
  • no caching, the instance of the user which is loaded in step 7 above were declared in a module - I belive this were the problem – Muleskinner Jun 26 '11 at 08:07

2 Answers2

6

It's hard to tell here. Have you configured Form Authentication?

This is the process you have to follow for Form Authentication: In your web.config you setup the authentication system:

<authentication mode="Forms">
    <forms loginUrl="Login.aspx" defaultUrl="Home.aspx" timeout="30" slidingExpiration="true" />
</authentication>

<authorization>
  <deny users="?"/>
</authorization>

Your login page (post-back) checks the credentials (not your master page). If the user is valid then you set the cookie:

FormsAuthentication.SetAuthCookie(userid, False)

and redirect to another page. Now, you have to set your principal reading the cookie here:

protected void Application_AuthenticateRequest(Object sender, EventArgs e) {
    if (HttpContext.Current.User != null) {
        if (Request.IsAuthenticated == true) {    
            // Debug#1            
            FormsAuthenticationTicket ticket = FormsAuthentication.Decrypt(Context.Request.Cookies[FormsAuthentication.FormsCookieName].Value);
            // In this case, ticket.UserData = "Admin"                
            string[] roles = new string[1] { ticket.UserData }; 
            FormsIdentity id = new FormsIdentity(ticket);
            Context.User = new System.Security.Principal.GenericPrincipal(id, roles);
            // Debug#2
        }
    }
}

Obviously, I've simplified, but this is the path you have to follow to do things properly.

LeftyX
  • 35,328
  • 21
  • 132
  • 193
  • Thanks a lot, cleaned up my code according to your input (do not belive it solved the specific issue however). – Muleskinner Jun 23 '11 at 07:12
  • @Muleskinner: no problem. I am glad I could help in a way. To solve your specific code I might need to have a look at the code. Another thing I forgot. You have to set Thread.CurrentPrincipal = HttpContext.Current.User as Xhalent suggested here: http://stackoverflow.com/questions/6043100/asp-net-mvc-and-windows-authentication-with-custom-roles – LeftyX Jun 23 '11 at 12:33
4

I would hunt around for any statics that shouldn't be static (and sharing stuff across threads/requests).

Perhaps it's not authentication related at all. Have you tried dumping the Context.User.Identity.Name value alongside that wrong data result? Does it also return you the wrong username?

Can you reproduce the problem when you can guarantee only one user is active on the site?