Windows identity getting confused between users

Discussion in 'ASP .Net' started by Scottrm, Jun 30, 2010.

  1. Scottrm

    Scottrm Guest

    We are observing some strange behaviour in our web server logs where where
    the Identity of the currently logged in user seems to be getting swapped with
    another user. I will describe our set up before explaining further.

    We are running an asp.net web site (v3.5 of the framework) on 2 Windows 2008
    web servers and use forms authentication.They are load balanced using a
    separate server running Apache 2.2 on Linux (Cent OS 5). The load balancing
    simply attaches a cookie to a user and directs them to a particular server
    for each subsequent request.

    We notice on occasion patterns in the log like this (details obfuscated)

    First Log Entry

    UserName -

    UserId - 1111

    WebPage - page1

    IP - ip1

    Time - 2010-06-29 12:56:20.750

    SessionId - h3uyz2fsdfegugjy452sdz0far

    Second Log Entry

    UserName -

    UserId - 2222

    WebPage - page2

    IP - ip2

    Time - 2010-06-29 12:57:16.133

    SessionId - 21ipjsdfsdfieqqwyfdokgqsb55

    We are using forms authentication using the standard asp.net forms
    authentication framework (the standard login control and we implemented a
    custom membership provider).

    The UserName is the Windows identity retrieved using
    "HttpContext.Current.User.Identity.Name" The UserId is the database Id set in
    the session. The sessionId is retrieved using
    "HttpContext.Current.Session.SessionID"

    As you can see the same Windows identity is the same for 2 different users,
    under different IP addresses and with different session id's, hitting the
    site about the same time. We checked and the IP's were from totally different
    locations. The wrong windows identity seems to be getting recorded. UserId
    2222 should have a different username recorded.

    Since it happens very occasionally, the code is standard and has not changed
    substantially for some time we don't "think" it is a coding error. We presume
    either a problem with the load balancer or some problem in the web server. I
    have never heard of such problems in asp.net before.

    Recently we did change our set up from IIS6 on Windows 2003 and a Cisco
    hardware load balancer to the current setup of IIS7 on Windows 2008 and the
    Apache load balancing. Any ideas appreciated.

    The forms authentication entry in the web.config is

    authentication mode="Forms"

    forms loginUrl="LoginPage.aspx" name=".ASPXFORMSAUTH"
    Scottrm, Jun 30, 2010
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Giovanni Bassi
    Replies:
    0
    Views:
    622
    Giovanni Bassi
    Oct 20, 2003
  2. nalbayo
    Replies:
    2
    Views:
    5,471
    Bruce Barker
    Nov 11, 2005
  3. JimLad
    Replies:
    0
    Views:
    430
    JimLad
    Jan 16, 2009
  4. Frederick D'hont
    Replies:
    0
    Views:
    296
    Frederick D'hont
    Jul 25, 2005
  5. David Thielen

    Limiting num users - Windows Identity

    David Thielen, Nov 9, 2006, in forum: ASP .Net Security
    Replies:
    5
    Views:
    150
    Luke Zhang [MSFT]
    Nov 13, 2006
Loading...

Share This Page