ASP.NET session switching
Question
We have a private site for customers. Clients often tell us that they see profile of another user.
Our authentication procedure looks like this: credentials -> check the DB table -> UserId saved in Session.
As I understand, the user somehow switches to another user's session. Can anyone name at least one possibility for it?
2 answers
solution1
2 ACCPTED 2009-12-28 13:19:42
When output caching is enabled on a page, the entire HTTP response is cached, including the response headers. That means the HTTP header that sets session cookies can be cached there, too.
Be sure to disable output caching on any page that sets user-specific cookies. Note that disabling kernel mode caching isn't enough -- the entire response is also cached separately by the ASP.NET runtime.
However, you can still safely enable client side caching on those pages, if appropriate ( Location="Client" ).
solution2
1 2009-12-28 11:43:14
It sounds like you are saving profile data in static variables. Also, you should never implement your own authentication mechanism, but base it on the built-in asp.net forms authentication. There is already built-in support for sql server based authentication .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.