Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > Windows identity getting confused between users

Reply
Thread Tools

Windows identity getting confused between users

 
 
Scottrm
Guest
Posts: n/a
 
      06-30-2010
We are observing some strange behaviour in our web server logs where where
the Identity of the currently logged in user seems to be getting swapped with
another user. I will describe our set up before explaining further.

We are running an asp.net web site (v3.5 of the framework) on 2 Windows 2008
web servers and use forms authentication.They are load balanced using a
separate server running Apache 2.2 on Linux (Cent OS 5). The load balancing
simply attaches a cookie to a user and directs them to a particular server
for each subsequent request.

We notice on occasion patterns in the log like this (details obfuscated)

First Log Entry

UserName - http://www.velocityreviews.com/forums/(E-Mail Removed)

UserId - 1111

WebPage - page1

IP - ip1

Time - 2010-06-29 12:56:20.750

SessionId - h3uyz2fsdfegugjy452sdz0far

Second Log Entry

UserName - (E-Mail Removed)

UserId - 2222

WebPage - page2

IP - ip2

Time - 2010-06-29 12:57:16.133

SessionId - 21ipjsdfsdfieqqwyfdokgqsb55

We are using forms authentication using the standard asp.net forms
authentication framework (the standard login control and we implemented a
custom membership provider).

The UserName is the Windows identity retrieved using
"HttpContext.Current.User.Identity.Name" The UserId is the database Id set in
the session. The sessionId is retrieved using
"HttpContext.Current.Session.SessionID"

As you can see the same Windows identity is the same for 2 different users,
under different IP addresses and with different session id's, hitting the
site about the same time. We checked and the IP's were from totally different
locations. The wrong windows identity seems to be getting recorded. UserId
2222 should have a different username recorded.

Since it happens very occasionally, the code is standard and has not changed
substantially for some time we don't "think" it is a coding error. We presume
either a problem with the load balancer or some problem in the web server. I
have never heard of such problems in asp.net before.

Recently we did change our set up from IIS6 on Windows 2003 and a Cisco
hardware load balancer to the current setup of IIS7 on Windows 2008 and the
Apache load balancing. Any ideas appreciated.

The forms authentication entry in the web.config is

authentication mode="Forms"

forms loginUrl="LoginPage.aspx" name=".ASPXFORMSAUTH"

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ASP.NET 2.0 Impersonation of fixed identity - truncation of identity JimLad ASP .Net 0 01-16-2009 10:42 AM
HttpContext.Current.User.Identity.Name AND Context.User.Identity.Name; nalbayo ASP .Net 2 11-11-2005 11:12 PM
Difference between System.Web.HttpContext.Current.User.Identity.Name and System.Threading.Thread.CurrentPrincipal.Identity.Name jeremy.rice@alkermes.com ASP .Net Security 5 11-08-2005 05:25 PM
Issue with Identity Impersonation and user identity used passed for trusted SQL connection. Frederick D'hont ASP .Net Security 0 07-25-2005 02:41 PM
Difference between HttpContext.Current.User.Identity and identity Impersonation Giovanni Bassi ASP .Net 0 10-20-2003 02:25 PM



Advertisments