Big security problem

[Matt]

Has anyone experienced anything like this?

I have a page which users use to enter details of events. As they work down
the page entering their info they update it regularly and at the bottom a
preview of how their data will look on the live site is shown.

We currently have a problem where if two or more users are using the page at
the same time, details from one person's preview section can appear in the
other's!

I've using ASP.NET 1.0 (VB.net) on Win 2K.

[Phil Weber]

> We currently have a problem where if two or more users
> are using the page at the same time, details from one
> person's preview section can appear in the other's!...
> Has anyone experienced anything like this?

Matt: You're not by any chance using the ThreadStatic attribute, are you? It
can cause the behavior you describe. For more information, see:

http://dotnetweblogs.com/yreynhout/posts/4061.aspx
http://radio.weblogs.com/0106747/2003/05/23.html

--
Phil Weber

[Matt]

Hi Phil. No, not using ThreadStatic....


"Phil Weber" <philweber@hotmail.com> wrote in message
news:3ed4b5ca$1@tnews.web.devx.com...
> > We currently have a problem where if two or more users
> > are using the page at the same time, details from one
> > person's preview section can appear in the other's!...
> > Has anyone experienced anything like this?
>
> Matt: You're not by any chance using the ThreadStatic attribute, are you?
It
> can cause the behavior you describe. For more information, see:
>
> http://dotnetweblogs.com/yreynhout/posts/4061.aspx
> http://radio.weblogs.com/0106747/2003/05/23.html
>
> --
> Phil Weber
>

[Russell Jones]

How are you generating the preview?

"Matt" <matthew@cdpnetworks.co.uk> wrote in message
news:3ed48166$1@tnews.web.devx.com...
> Has anyone experienced anything like this?
>
> I have a page which users use to enter details of events. As they work
down
> the page entering their info they update it regularly and at the bottom a
> preview of how their data will look on the live site is shown.
>
> We currently have a problem where if two or more users are using the page
at
> the same time, details from one person's preview section can appear in the
> other's!
>
> I've using ASP.NET 1.0 (VB.net) on Win 2K.
>
>

[Matt]

The preview is a user control which is displayed at the bottom of the page.
The code is typically like this:
Dim cmbPerformers As DropDownList = CType(Me.FindControl("cmbPerformer" &
CStr(count)), DropDownList)

preview.lblPerformers.Text = cmbPerformers.selecteditem.text

Where preview is the name of the user control.


"Russell Jones" <arj1@nospam.northstate.net> wrote in message
news:3ed4c124$1@tnews.web.devx.com...
> How are you generating the preview?
>

[Russell Jones]

Sorry. I was trying to find out where you're getting the user data displayed
in the preview. Does the data come from a Session variable? From a file?
From an Application variable? Is it generated on the fly? The answer more
than likely lies inside the user control code. Look there.


"Matt" <matthew@cdpnetworks.co.uk> wrote in message
news:3ed4c4a8@tnews.web.devx.com...
> The preview is a user control which is displayed at the bottom of the
page.
> The code is typically like this:
> Dim cmbPerformers As DropDownList = CType(Me.FindControl("cmbPerformer" &
> CStr(count)), DropDownList)
>
> preview.lblPerformers.Text = cmbPerformers.selecteditem.text
>
> Where preview is the name of the user control.
>
>
> "Russell Jones" <arj1@nospam.northstate.net> wrote in message
> news:3ed4c124$1@tnews.web.devx.com...
> > How are you generating the preview?
> >
>
>

[Matt]

As the user works through the form, the data they enter is stored in the
ViewState; but as my code demonstrates, the preview section is generated
from the content of the server controls on the page.


"Russell Jones" <arj1@nospam.northstate.net> wrote in message
news:3ed4d002$1@tnews.web.devx.com...
> Sorry. I was trying to find out where you're getting the user data
displayed
> in the preview. Does the data come from a Session variable? From a file?
> From an Application variable? Is it generated on the fly? The answer more
> than likely lies inside the user control code. Look there.
>
>
> "Matt" <matthew@cdpnetworks.co.uk> wrote in message
> news:3ed4c4a8@tnews.web.devx.com...
> > The preview is a user control which is displayed at the bottom of the
> page.
> > The code is typically like this:
> > Dim cmbPerformers As DropDownList = CType(Me.FindControl("cmbPerformer"
&
> > CStr(count)), DropDownList)
> >
> > preview.lblPerformers.Text = cmbPerformers.selecteditem.text
> >
> > Where preview is the name of the user control.
> >
> >
> > "Russell Jones" <arj1@nospam.northstate.net> wrote in message
> > news:3ed4c124$1@tnews.web.devx.com...
> > > How are you generating the preview?
> > >
> >
> >
>
>

[Russell Jones]

Post the user control code.

"Matt" <matthew@cdpnetworks.co.uk> wrote in message
news:3ed4d47f@tnews.web.devx.com...
> As the user works through the form, the data they enter is stored in the
> ViewState; but as my code demonstrates, the preview section is generated
> from the content of the server controls on the page.

[SD]

"Matt" <matthew@cdpnetworks.co.uk> wrote:
>Has anyone experienced anything like this?

This happened to me when I used application variables such as

(MyClass)Application["DelphiOne"] = new MyClass();

and used variables in class like the following

((MyClass)Application["DelphiOne"]).MyName = "SD";

There were problems as described by you (one user's data coming on another's
screen). I solved the problem by replacing the "Application" keyword with
"Session" keyword. But the session state timeout must be set in web.config
file. Read the help on VS.NET for more info.
SD

[Matt]

Hi. There is not any code within the usercontrol as it's all done from the
main page like this:

'FIND THE CONTROL ON MAIN PAGE
Dim cmbPerformers As DropDownList = CType(Me.FindControl("cmbPerformer" &
CStr(count)), DropDownList)

'ADD THE SELECTED TEXT TO LABEL ON USER CONTROL
preview.lblPerformers.Text = cmbPerformers.selecteditem.text




"Russell Jones" <arj1@nospam.northstate.net> wrote in message
news:3ed4f795@tnews.web.devx.com...
> Post the user control code.
>
> "Matt" <matthew@cdpnetworks.co.uk> wrote in message
> news:3ed4d47f@tnews.web.devx.com...
> > As the user works through the form, the data they enter is stored in the
> > ViewState; but as my code demonstrates, the preview section is generated
> > from the content of the server controls on the page.
>
>
>

[Matt]

Thanks, but I don't use application variables anywhere.


"SD" <vb.@127.0.0.1> wrote in message news:3ed50338$1@tnews.web.devx.com...
>
> "Matt" <matthew@cdpnetworks.co.uk> wrote:
> >Has anyone experienced anything like this?
>
> This happened to me when I used application variables such as
>
> (MyClass)Application["DelphiOne"] = new MyClass();
>
> and used variables in class like the following
>
> ((MyClass)Application["DelphiOne"]).MyName = "SD";
>
> There were problems as described by you (one user's data coming on
another's
> screen). I solved the problem by replacing the "Application" keyword with
> "Session" keyword. But the session state timeout must be set in web.config
> file. Read the help on VS.NET for more info.
> SD
>

[SD]

"Matt" <matthew@cdpnetworks.co.uk> wrote:
>Thanks, but I don't use application variables anywhere.

You said you were using "ViewState" Variables? If so they could be acting
in a similar way as "Application" variables. Check out.
SD

[Matt]

If that's the problem then the whole asp.net platform is flawed surely?


"SD" <vb.@127.0.0.1> wrote in message news:3ed61d9b$1@tnews.web.devx.com...
>
> "Matt" <matthew@cdpnetworks.co.uk> wrote:
> >Thanks, but I don't use application variables anywhere.
>
> You said you were using "ViewState" Variables? If so they could be acting
> in a similar way as "Application" variables. Check out.
> SD

[Steve Pierce]

That certianly has not been my experience. I usually find that problems
of this nature are found to be flaws in the design or implementation rather
than the platform.

I would suggest that you re-cast the process to use session variables rather
than viewstate to persist data between requests. The network admin can tune
website performance without app developer intervention easier and the page
responds much better for our slow-bandwidth customers. Viewstate also has
the downside of being completely open and accessable to the user and provides
a security hole itself.

"Matt" <matthew@cdpnetworks.co.uk> wrote:
>If that's the problem then the whole asp.net platform is flawed surely?
>