开发者

Windows identity getting confused between users

开发者 https://www.devze.com 2023-01-05 18:04 出处:网络
We are observing some strange behaviour in our web server logs where where the Identity of the currently logged in user seems to be getting swapped with another user. I will describe our set up before

We are observing some strange behaviour in our web server logs where where the Identity of the currently logged in user seems to be getting swapped with another user. I will describe our set up before explaining further.

We are running an asp.net web site (v3.5 of the framework) on 2 Windows 2008 web servers and use forms authentication.They are load balanced using a separate server running Apache 2.2 on Linux (Cent OS 5). The load balancing simply attaches a cookie to a user and directs them to a particular server for each subsequent request.

We notice on occasion patterns in the log like this (details obfuscated)

First Log Entry

UserName - customer1@x.com

UserId - 1111

WebPage - page1

IP - ip1

Time - 2010-06-29 12:56:20.750

SessionId - h3uyz2fsdfegugjy452sdz0far

Second Log Entry

UserName - customer1@x.com

UserId - 2222

WebPage - page2

IP - ip2

Time - 2010-06-29 12:57:16.133

SessionId - 21ipjsdfsdfieqqwyfdokgqsb55

We are using forms authentication using the standard asp.net forms authentication framework (the standard login control and we implemented a custom membership provider).

The UserName is the Windows identity retrieved using "HttpContext.Current.User.Identity.Name" The UserId is the database Id set in the session. The sessionId is retrieved using "HttpContext.Current.Session.SessionID"

As you can see the same Windows identity is the same for 2 different users, under different IP addresses and with different session id's, hitting the site about the same time. We checked and the IP's were from totally different locations. The wrong windows identity seems to be getting recorded. UserId 2222 should have a different username recorded.

Since it happens very occasionally, the code is standard and has not changed substantially for some time we don't "think" it is a coding error. We presume either a problem with the load balancer or some problem in the web server. I have never heard of such problems in asp.net before.

Recently we did change our set up from IIS6 on Windows 2003 and a Cisco hardware load balancer to the current setup of IIS7 on Windows 2008 and the Apache load balancing. Any ideas apprecia开发者_高级运维ted.

The forms authentication entry in the web.config is

authentication mode="Forms"

forms loginUrl="LoginPage.aspx" name=".ASPXFORMSAUTH"


Are you setting any session variables? Session ID's reset for every request unless you store something, anything in session for each user.


You have to guarantee that each users cookie is unique. You can't depend on the sessionid.

0

精彩评论

暂无评论...
验证码 换一张
取 消