Security problem/issue ASP.Net

[Gilles]

Hello,
I'm facing a big problem in an Asp.Net application, when
users connect the application, I store their user
informations into the session object (session_start).
But when 2 users click (nearly) at the same time on the
page myprofile, the first user sees his profile (the
correct one) and the second sees the profile of the first
(very bad).
the "HttpContext.Current.User.Identity" is not the
expected one.
web.config entries:
<authentication mode="Windows"/>
<identity impersonate="false"/>
<authorization>
<allow users="*"/>
</authorization>
<sessionState mode="InProc" cookieless="false"
timeout="20"/>
Any idea ?
Many thanks for your help.
Gilles

 

[Kevin Spencer]

HttpContext.Current.User.Identity represents the currently logged-in user.
If the web disallows anonymous authentication, this will (probably) be a
different user with each client. If anonymous browsing is allowed, the user
will always be the Anonymous Internet User account.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
Neither a follower nor a lender be.

 

[Guest]

Thanks for your quick reply,

The Web Server is set to:
"Integrated Windows authentication"
and "Anonymous access" is disabled.
What else can I do to avoid this session mix ?

Thanks

Gilles

 

[Kevin Spencer]

The Web Server is set to:

"Integrated Windows authentication"
and "Anonymous access" is disabled.
What else can I do to avoid this session mix ?

I'm not sure. I haven't had to deal with this issue before. But if I'm
reading the SDK correctly, you need to set the "identity impersonate"
attribute to true. From what I've read, this enables "per request"
impersonation.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
Neither a follower nor a lender be.

 

[Gilles]

Thanks Kevin,

I'll try that tomorrow (it's 19h00 here in Belgium ),
but I'm quite sure I tried that
some time ago and it didn't work...
I'll let you informed.

Gilles