Serious issue with HttpContext.Current.User.Identity.Name

[kiran_s_rao]

I have a serious issue that seems to be intermittent with
User.Identity.Name.

In an environment where about 100+ users are logging on to a site with
forms authentication, calling HttpContext.Current.User.Identity.Name
returns the correctly logged on user.

However, 10% of the time (I'm guessing under stress conditions or
simulataneous requests), the wrong user info is being returned.

The logic of this app:

1) User enters username/pass
2) Info is looked up via SQL DB call
3) If match, user is authenticated via
FormsAuthentication.RedirectFromLoginPage(username, True)
4) On all the pages the user visits, his/her info is shown via a call
to HttpContext.Current.User.Identity.Name

This works almost all the time. Any ideas why it might be failing from
time to time?

 

[bruce barker]

usually a coding error where you store the user info in a vb module or c#
static during page processing.

-- bruce (sqlwork.com)

| I have a serious issue that seems to be intermittent with
| User.Identity.Name.
|
| In an environment where about 100+ users are logging on to a site with
| forms authentication, calling HttpContext.Current.User.Identity.Name
| returns the correctly logged on user.
|
| However, 10% of the time (I'm guessing under stress conditions or
| simulataneous requests), the wrong user info is being returned.
|
| The logic of this app:
|
| 1) User enters username/pass
| 2) Info is looked up via SQL DB call
| 3) If match, user is authenticated via
| FormsAuthentication.RedirectFromLoginPage(username, True)
| 4) On all the pages the user visits, his/her info is shown via a call
| to HttpContext.Current.User.Identity.Name
|
| This works almost all the time. Any ideas why it might be failing from
| time to time?
|

 

[Kiran_S_Rao]

Bruce,

Thanks for the reply.
Can you please give me more detail?

When you say "coding error where you store the user info", what is the
common error here?

We are not storing that info anywhere, but just calling
HttpContext.Current.User.Identity.Name whenever we need that info.
Sometimes it's correct, sometimes it's not.

Kiran

 

[Kiran_S_Rao]

Bruce,

Thanks for the reply.
Can you please give me more detail?

When you say "coding error where you store the user info", what is the
common error here?

We are not storing that info anywhere, but just calling
HttpContext.Current.User.Identity.Name whenever we need that info.
Sometimes it's correct, sometimes it's not.

Kiran

 

[Guest]

Hi Kiran..
Are you using Forms Authentication and validating against SQL Server?
Are u sure u aren;t using Windows Auth since u are calling :-
HttpContext.Current.User.Identity.Name
Pls Elaborate more..
Patrick

 

[Kiran_S_Rao]

Patrick,

Thanks for the reply.
Ok here is what I'm doing:

1) User enters user and pass
2) Check for match with SQL DB
3) If match, call FormsAuthentication.RedirectFromLoginPage(username,
True)

After all that, I was under the impression that the best way to check
for the currently logged in user is to call:
HttpContext.Current.User.Identity.Name

Is this not correct? How else do you check the name with Forms
Authentication?

Thanks,
Kiran

 

[Matt Berther]

Hello (e-mail address removed),

You are correct. My guess is that somewhere you're storing/retrieving this
info from a static variable...

 

[Patrick Olurotimi Ige]

HI Kiran
As Matt stated you're storing/retrieving somewhere..!
With your Forms Auth validating against SQL server are u implementing
ROLES(Authorisation)..b-cos if you do then u must be storing USERS for
sure..
B-cos by calling "HttpContext.Current.User.Identity.Name"
ur just calling the logged on user..
Hope it helps..
Patrick
**Let me read from you**

 

[Kiran_S_Rao]

Thanks for all the replies.

However, we are *not* storing this information anywhere at all.
We are not doing roles based auth.

Whenever we need to figure out who the current user is, we call
HttpContext.Current.User.Identity.Name. This is not stored in a
variable anywhere.

Am I understanding the above call correctly? If user "a" logs in and
then user "b" logs in, does calling identity.name for user "a"'s
session show user "b"'s info? Because that is what is happening with
10% of the requests.

 

[Patrick Olurotimi Ige]

Kiran_S_Rao,
This seems wierd!
When u talk about INFO do you mean the USerName?
Are 10% of this users in the same Domain?
As u are using Forms Auth do you have Anonymous Acces turned OFF or ON?
Patrick

 

[Kiran_S_Rao]

Patrick,

Yes, the info that I was referring to was the Username.
When I say 10% of the calls fail, what I mean is that sometimes, a
given user's session will return someone else's Username.
This is not predicatable and does not happen to a certain set of
people. All the users have this happen sooner or later. There is no
domain distinction since the usernames are held in the DB, and have
nothing to do with the domain of the server.

In IIS, I have anonymous access turned ON so unregistered users can
access the rest of the site.