Security problem/issue ASP.Net

Hello,
I'm facing a big problem in an Asp.Net application, when
users connect the application, I store their user
informations into the session object (session_start).
But when 2 users click (nearly) at the same time on the
page myprofile, the first user sees his profile (the
correct one) and the second sees the profile of the first
(very bad).
the "HttpContext.Current.User.Identity" is not the
expected one.
web.config entries:
<authentication mode="Windows"/>
<identity impersonate="false"/>
<authorization>
<allow users="*"/>
</authorization>
<sessionState mode="InProc" cookieless="false"
timeout="20"/>
Any idea ?
Many thanks for your help.
Gilles

Gilles

HttpContext.Current.User.Identity represents the currently logged-in user.
If the web disallows anonymous authentication, this will (probably) be a
different user with each client. If anonymous browsing is allowed, the user
will always be the Anonymous Internet User account.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
Neither a follower nor a lender be.

"Gilles" <> wrote in message
news:24b601c50d2e$a23116f0$...
> Hello,
> I'm facing a big problem in an Asp.Net application, when
> users connect the application, I store their user
> informations into the session object (session_start).
> But when 2 users click (nearly) at the same time on the
> page myprofile, the first user sees his profile (the
> correct one) and the second sees the profile of the first
> (very bad).
> the "HttpContext.Current.User.Identity" is not the
> expected one.
> web.config entries:
> <authentication mode="Windows"/>
> <identity impersonate="false"/>
> <authorization>
> <allow users="*"/>
> </authorization>
> <sessionState mode="InProc" cookieless="false"
> timeout="20"/>
> Any idea ?
> Many thanks for your help.
> Gilles

Kevin Spencer

Thanks for your quick reply,

The Web Server is set to:
"Integrated Windows authentication"
and "Anonymous access" is disabled.
What else can I do to avoid this session mix ?

Thanks

Gilles
>-----Original Message-----
>HttpContext.Current.User.Identity represents the
currently logged-in user.
>If the web disallows anonymous authentication, this will
(probably) be a
>different user with each client. If anonymous browsing is
allowed, the user
>will always be the Anonymous Internet User account.
>
>--
>HTH,
>
>Kevin Spencer
>Microsoft MVP
>..Net Developer
>Neither a follower nor a lender be.
>
>"Gilles" <> wrote in
message
>news:24b601c50d2e$a23116f0$...
>> Hello,
>> I'm facing a big problem in an Asp.Net application, when
>> users connect the application, I store their user
>> informations into the session object (session_start).
>> But when 2 users click (nearly) at the same time on the
>> page myprofile, the first user sees his profile (the
>> correct one) and the second sees the profile of the
first
>> (very bad).
>> the "HttpContext.Current.User.Identity" is not the
>> expected one.
>> web.config entries:
>> <authentication mode="Windows"/>
>> <identity impersonate="false"/>
>> <authorization>
>> <allow users="*"/>
>> </authorization>
>> <sessionState mode="InProc" cookieless="false"
>> timeout="20"/>
>> Any idea ?
>> Many thanks for your help.
>> Gilles
>
>
>.
>

> The Web Server is set to:
> "Integrated Windows authentication"
> and "Anonymous access" is disabled.
> What else can I do to avoid this session mix ?

I'm not sure. I haven't had to deal with this issue before. But if I'm
reading the SDK correctly, you need to set the "identity impersonate"
attribute to true. From what I've read, this enables "per request"
impersonation.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
Neither a follower nor a lender be.

<> wrote in message
news:142e01c50d32$01c60e10$...
> Thanks for your quick reply,
>
> The Web Server is set to:
> "Integrated Windows authentication"
> and "Anonymous access" is disabled.
> What else can I do to avoid this session mix ?
>
> Thanks
>
> Gilles
>>-----Original Message-----
>>HttpContext.Current.User.Identity represents the
> currently logged-in user.
>>If the web disallows anonymous authentication, this will
> (probably) be a
>>different user with each client. If anonymous browsing is
> allowed, the user
>>will always be the Anonymous Internet User account.
>>
>>--
>>HTH,
>>
>>Kevin Spencer
>>Microsoft MVP
>>..Net Developer
>>Neither a follower nor a lender be.
>>
>>"Gilles" <> wrote in
> message
>>news:24b601c50d2e$a23116f0$...
>>> Hello,
>>> I'm facing a big problem in an Asp.Net application, when
>>> users connect the application, I store their user
>>> informations into the session object (session_start).
>>> But when 2 users click (nearly) at the same time on the
>>> page myprofile, the first user sees his profile (the
>>> correct one) and the second sees the profile of the
> first
>>> (very bad).
>>> the "HttpContext.Current.User.Identity" is not the
>>> expected one.
>>> web.config entries:
>>> <authentication mode="Windows"/>
>>> <identity impersonate="false"/>
>>> <authorization>
>>> <allow users="*"/>
>>> </authorization>
>>> <sessionState mode="InProc" cookieless="false"
>>> timeout="20"/>
>>> Any idea ?
>>> Many thanks for your help.
>>> Gilles
>>
>>
>>.
>>

Kevin Spencer

Thanks Kevin,

I'll try that tomorrow (it's 19h00 here in Belgium ),
but I'm quite sure I tried that
some time ago and it didn't work...
I'll let you informed.

Gilles


>-----Original Message-----
>> The Web Server is set to:
>> "Integrated Windows authentication"
>> and "Anonymous access" is disabled.
>> What else can I do to avoid this session mix ?
>
>I'm not sure. I haven't had to deal with this issue
before. But if I'm
>reading the SDK correctly, you need to set the "identity
impersonate"
>attribute to true. From what I've read, this enables "per
request"
>impersonation.
>
>--
>HTH,
>
>Kevin Spencer
>Microsoft MVP
>..Net Developer
>Neither a follower nor a lender be.
>
><> wrote in message
>news:142e01c50d32$01c60e10$...
>> Thanks for your quick reply,
>>
>> The Web Server is set to:
>> "Integrated Windows authentication"
>> and "Anonymous access" is disabled.
>> What else can I do to avoid this session mix ?
>>
>> Thanks
>>
>> Gilles
>>>-----Original Message-----
>>>HttpContext.Current.User.Identity represents the
>> currently logged-in user.
>>>If the web disallows anonymous authentication, this will
>> (probably) be a
>>>different user with each client. If anonymous browsing is
>> allowed, the user
>>>will always be the Anonymous Internet User account.
>>>
>>>--
>>>HTH,
>>>
>>>Kevin Spencer
>>>Microsoft MVP
>>>..Net Developer
>>>Neither a follower nor a lender be.
>>>
>>>"Gilles" <> wrote in
>> message
>>>news:24b601c50d2e$a23116f0$.. .
>>>> Hello,
>>>> I'm facing a big problem in an Asp.Net application, when
>>>> users connect the application, I store their user
>>>> informations into the session object (session_start).
>>>> But when 2 users click (nearly) at the same time on the
>>>> page myprofile, the first user sees his profile (the
>>>> correct one) and the second sees the profile of the
>> first
>>>> (very bad).
>>>> the "HttpContext.Current.User.Identity" is not the
>>>> expected one.
>>>> web.config entries:
>>>> <authentication mode="Windows"/>
>>>> <identity impersonate="false"/>
>>>> <authorization>
>>>> <allow users="*"/>
>>>> </authorization>
>>>> <sessionState mode="InProc" cookieless="false"
>>>> timeout="20"/>
>>>> Any idea ?
>>>> Many thanks for your help.
>>>> Gilles
>>>
>>>
>>>.
>>>
>
>
>.
>

Gilles