How to avoid session sharing in ASP.NET applications

  • Thread starter Thread starter Bhaskar
  • Start date Start date
B

Bhaskar

Hello Friends,

Can any of you please help with this issue?

I have a ASP.NET application written in VB.NET and requires the user to
log in. I authenticate user using LDAP, so if the user id is active in
our company NT network he/she can log in with her/his user id/password.

Now first John Smith logs in, using the application, there is a welcome
header that says 'Welcome John Smith'. Then Jane Jones logs in with her
user id/password, but she sees the welcome header as 'Welcome John
Smith' !!! So, here John smith's session is shared by Jane which is
neither expected nor wanted.

How do I avoid this, please please help.

Thank you,
Bhaskar
 
We can't help you unless you show us the relevant code. Sessions do not work
this way, so it must be something in the code causing this behavior.
 
Marina,

Here is the code that happens when you click log in. As you can see, I
am setting gs_login_user_id and gs_login_user_name in the Global. But
If John has already logged in and these variables are set, how come
when jane logs in, these variables are set to john's? It is very
strange.

Thanks
Bhaskar


Private Function AuthenticateNTUser(ByVal userId As String, ByVal
password As String) As Boolean

AuthenticateNTUser = False

Try
Dim enTry As DirectoryEntry = New
DirectoryEntry("LDAP://WTNT/DC=smfbc,DC=org", "WTNT\" & userId,
password)
enTry.AuthenticationType = AuthenticationTypes.Secure
If enTry Is Nothing Then
writemessage(Lbl_messages, "Directory Entry is Nothing.
Exiting...")
Exit Function
End If

Dim mySearcher = New
System.DirectoryServices.DirectorySearcher(enTry)
mySearcher.PropertiesToLoad.Add("givenname") ' First Name
mySearcher.PropertiesToLoad.Add("sn") ' Last Name
mySearcher.Filter = ("(objectClass=user)")
Dim filterster As String = "(SAMAccountName=" + userId +
")" ' search the user name
mySearcher.Filter = filterster

Dim sresult As SearchResult = mySearcher.FindOne()
Dim myResultPropColl As ResultPropertyCollection
myResultPropColl = sresult.Properties

If (Not sresult Is Nothing) Then
Dim myCollection As Object
For Each myCollection In myResultPropColl("givenname")
Global.gs_login_user_name = myCollection
Next myCollection
For Each myCollection In myResultPropColl("sn")
' Set user name to display in Welcome header in
listpage.aspx
Global.gs_login_user_name =
Global.gs_login_user_name & " " & myCollection
Next myCollection
Else
writemessage(Lbl_messages, sresult.ToString())
writemessage(Lbl_messages,
sresult.Properties.ToString())
Exit Function
End If
Catch ex As Exception
writemessage(Lbl_messages, ex.Message)
Exit Function
End Try
AuthenticateNTUser = True

End Function

' This is login button click function

Private Sub btn_login_Click(ByVal sender As Object, ByVal e As
System.EventArgs) Handles btn_login.Click

writemessage(Lbl_messages, Nothing)
If (Trim(Tex_userid.Text) = "") _
Or (Trim(tex_password.Text) = "") Then
writemessage(Lbl_messages, "Please enter both your username
and password")
Exit Sub
End If

Dim error_message As String = ""
If AuthenticateNTUser(Tex_userid.Text, tex_password.Text) =
True Then
Global.gs_login_user_id = UCase(Tex_userid.Text)

Response.Redirect("listpage.aspx")
End If
End Sub
 
How this variable Global.gs_login_user_name is declared.

If it is global for all the app then you'll receive this situation.

You should do something like this
Session("LoggedUser") = myCollection;

and then to obtain the name if the user just call Session("LoggedUser").
 
Hi Vadym,

Global.gs_login_user_name is declared in global.asax.vb file. And I set
it when a user logs in, with his/her user id. And I occassionally check
it if the user is logged in. I thought the variables declared in
global.asax.vb file are specific to that user instance only. But they
are being shared among all users for that application. Does that sound
right?

Where should I declare my variables so they are accessible only within
that session?

Bhaskar
 
You must not declare but set the value of session variables accessed by
Session("KeyName")
 
Back
Top