Re: Security problem/issue ASP.Net

From: Gilles (anonymous_at_discussions.microsoft.com)
Date: 02/07/05 

Date: Mon, 7 Feb 2005 10:02:10 -0800

Thanks Kevin,

I'll try that tomorrow (it's 19h00 here in Belgium :) ),
but I'm quite sure I tried that
some time ago and it didn't work...
I'll let you informed.

Gilles

>-----Original Message-----
>> The Web Server is set to:
>> "Integrated Windows authentication"
>> and "Anonymous access" is disabled.
>> What else can I do to avoid this session mix ?
>
>I'm not sure. I haven't had to deal with this issue
before. But if I'm
>reading the SDK correctly, you need to set the "identity
impersonate"
>attribute to true. From what I've read, this enables "per
request"
>impersonation.
>
>--
>HTH,
>
>Kevin Spencer
>Microsoft MVP
>..Net Developer
>Neither a follower nor a lender be.
>
><anonymous@discussions.microsoft.com> wrote in message
>news:142e01c50d32$01c60e10$a501280a@phx.gbl...
>> Thanks for your quick reply,
>>
>> The Web Server is set to:
>> "Integrated Windows authentication"
>> and "Anonymous access" is disabled.
>> What else can I do to avoid this session mix ?
>>
>> Thanks
>>
>> Gilles
>>>-----Original Message-----
>>>HttpContext.Current.User.Identity represents the
>> currently logged-in user.
>>>If the web disallows anonymous authentication, this will
>> (probably) be a
>>>different user with each client. If anonymous browsing is
>> allowed, the user
>>>will always be the Anonymous Internet User account.
>>>
>>>--
>>>HTH,
>>>
>>>Kevin Spencer
>>>Microsoft MVP
>>>..Net Developer
>>>Neither a follower nor a lender be.
>>>
>>>"Gilles" <anonymous@discussions.microsoft.com> wrote in
>> message
>>>news:24b601c50d2e$a23116f0$a401280a@phx.gbl...
>>>> Hello,
>>>> I'm facing a big problem in an Asp.Net application, when
>>>> users connect the application, I store their user
>>>> informations into the session object (session_start).
>>>> But when 2 users click (nearly) at the same time on the
>>>> page myprofile, the first user sees his profile (the
>>>> correct one) and the second sees the profile of the
>> first
>>>> (very bad).
>>>> the "HttpContext.Current.User.Identity" is not the
>>>> expected one.
>>>> web.config entries:
>>>> <authentication mode="Windows"/>
>>>> <identity impersonate="false"/>
>>>> <authorization>
>>>> <allow users="*"/>
>>>> </authorization>
>>>> <sessionState mode="InProc" cookieless="false"
>>>> timeout="20"/>
>>>> Any idea ?
>>>> Many thanks for your help.
>>>> Gilles
>>>
>>>
>>>.
>>>
>
>
>.
>

Relevant Pages

  • Re: Security problem/issue ASP.Net
    ... > The Web Server is set to: ... > What else can I do to avoid this session mix? ... >>> page myprofile, the first user sees his profile (the ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Coding inside the debugger
    ... >you are trying to avoid its thread becomming blocked on the read where ... >no more packets are left to transfer. ... brief periods in the midst of the session. ... "The aim of science is not to open the door to infinite wisdom, ...
    (comp.object)
  • Re: [PHP] A stupid question?
    ... I want to know how php could know whether session_start() has been called, that is, whether session has been started. ... It is a good idea to use output buffering to help aid ... to avoid spurious output of whitespace avoid including the trailing '?>' is ...
    (php.general)
  • Re: 3-Tier Web Application, forms authentication, persistence of u
    ... I'd actually prefer to avoid using Session. ... management (SQL Server, state server etc), which I'd like to try and avoid if ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: customize the httpcontext.current.user
    ... store the user information in Session. ... if you want to avoid ... querying database everytime the information is needed, ... in the Session state is really the only way to go. ...
    (microsoft.public.dotnet.framework.aspnet)