Re: Security problem/issue ASP.Net

From: Kevin Spencer (kevin_at_DIESPAMMERSDIEtakempis.com)
Date: 02/07/05 

Date: Mon, 7 Feb 2005 12:41:11 -0500

> The Web Server is set to:
> "Integrated Windows authentication"
> and "Anonymous access" is disabled.
> What else can I do to avoid this session mix ?

I'm not sure. I haven't had to deal with this issue before. But if I'm
reading the SDK correctly, you need to set the "identity impersonate"
attribute to true. From what I've read, this enables "per request"
impersonation. 

-- 
HTH,
Kevin Spencer
Microsoft MVP
.Net Developer
Neither a follower nor a lender be.
<anonymous@discussions.microsoft.com> wrote in message 
news:142e01c50d32$01c60e10$a501280a@phx.gbl...
> Thanks for your quick reply,
>
> The Web Server is set to:
> "Integrated Windows authentication"
> and "Anonymous access" is disabled.
> What else can I do to avoid this session mix ?
>
> Thanks
>
> Gilles
>>-----Original Message-----
>>HttpContext.Current.User.Identity represents the
> currently logged-in user.
>>If the web disallows anonymous authentication, this will
> (probably) be a
>>different user with each client. If anonymous browsing is
> allowed, the user
>>will always be the Anonymous Internet User account.
>>
>>-- 
>>HTH,
>>
>>Kevin Spencer
>>Microsoft MVP
>>..Net Developer
>>Neither a follower nor a lender be.
>>
>>"Gilles" <anonymous@discussions.microsoft.com> wrote in
> message
>>news:24b601c50d2e$a23116f0$a401280a@phx.gbl...
>>> Hello,
>>> I'm facing a big problem in an Asp.Net application, when
>>> users connect the application, I store their user
>>> informations into the session object (session_start).
>>> But when 2 users click (nearly) at the same time on the
>>> page myprofile, the first user sees his profile (the
>>> correct one) and the second sees the profile of the
> first
>>> (very bad).
>>> the "HttpContext.Current.User.Identity" is not the
>>> expected one.
>>> web.config entries:
>>> <authentication mode="Windows"/>
>>> <identity impersonate="false"/>
>>> <authorization>
>>> <allow users="*"/>
>>> </authorization>
>>> <sessionState mode="InProc" cookieless="false"
>>> timeout="20"/>
>>> Any idea ?
>>> Many thanks for your help.
>>> Gilles
>>
>>
>>.
>>

Relevant Pages

  • Re: using .aspx page to output image problem
    ... It also seems to me that you are using a session simply to communicate ... public class MapPointImage ... > and displays direction information and map images. ... > The map works fine on a single web server setup. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Need help with scope (I think)
    ... I'll assume that you do know what a Session variable is used for in a Web session. ... The server side of the application is started again sort of speaking and everything are in there initial state each time on the round trip between the client and the Web server. ... The only way you can keep state with data that is kept in a variable that you want to hold on to that data is to use Session variables. ...
    (microsoft.public.dotnet.languages.vb)
  • Re: Need help with scope (I think)
    ... A Web session between the client and the Web server is a stateless ... server from the client and the connection is broken. ...
    (microsoft.public.dotnet.languages.vb)
  • Re: Example of web application done right?
    ... I would really not recommend perl for this ... We used perl, and regretted it for the web interface. ... Session ID was a string that contained info about which machine it was on. ... Our web server load balancing was done by DNS, and, thankfully most browsers ...
    (comp.lang.perl.misc)
  • Re: Viewing word or Excel files.
    ... I think that you should avoid putting Office type files on a web server ... Redesign the whole thing to avoid this approach. ... > like word and excel viewers or as you tell me previously. ... >>files in a more neutral format, e.g. HTML, PDF, txt, etc. ...
    (microsoft.public.word.docmanagement)