DevX Home    Today's Headlines   Articles Archive   Tip Bank   Forums   

Results 1 to 14 of 14

Thread: Big security problem

  1. #1
    Matt Guest

    Big security problem

    Has anyone experienced anything like this?

    I have a page which users use to enter details of events. As they work down
    the page entering their info they update it regularly and at the bottom a
    preview of how their data will look on the live site is shown.

    We currently have a problem where if two or more users are using the page at
    the same time, details from one person's preview section can appear in the
    other's!

    I've using ASP.NET 1.0 (VB.net) on Win 2K.



  2. #2
    Phil Weber Guest

    Re: Big security problem

    > We currently have a problem where if two or more users
    > are using the page at the same time, details from one
    > person's preview section can appear in the other's!...
    > Has anyone experienced anything like this?


    Matt: You're not by any chance using the ThreadStatic attribute, are you? It
    can cause the behavior you describe. For more information, see:

    http://dotnetweblogs.com/yreynhout/posts/4061.aspx
    http://radio.weblogs.com/0106747/2003/05/23.html

    --
    Phil Weber


  3. #3
    Matt Guest

    Re: Big security problem

    Hi Phil. No, not using ThreadStatic....


    "Phil Weber" <philweber@hotmail.com> wrote in message
    news:3ed4b5ca$1@tnews.web.devx.com...
    > > We currently have a problem where if two or more users
    > > are using the page at the same time, details from one
    > > person's preview section can appear in the other's!...
    > > Has anyone experienced anything like this?

    >
    > Matt: You're not by any chance using the ThreadStatic attribute, are you?

    It
    > can cause the behavior you describe. For more information, see:
    >
    > http://dotnetweblogs.com/yreynhout/posts/4061.aspx
    > http://radio.weblogs.com/0106747/2003/05/23.html
    >
    > --
    > Phil Weber
    >




  4. #4
    Russell Jones Guest

    Re: Big security problem

    How are you generating the preview?

    "Matt" <matthew@cdpnetworks.co.uk> wrote in message
    news:3ed48166$1@tnews.web.devx.com...
    > Has anyone experienced anything like this?
    >
    > I have a page which users use to enter details of events. As they work

    down
    > the page entering their info they update it regularly and at the bottom a
    > preview of how their data will look on the live site is shown.
    >
    > We currently have a problem where if two or more users are using the page

    at
    > the same time, details from one person's preview section can appear in the
    > other's!
    >
    > I've using ASP.NET 1.0 (VB.net) on Win 2K.
    >
    >




  5. #5
    Matt Guest

    Re: Big security problem

    The preview is a user control which is displayed at the bottom of the page.
    The code is typically like this:
    Dim cmbPerformers As DropDownList = CType(Me.FindControl("cmbPerformer" &
    CStr(count)), DropDownList)

    preview.lblPerformers.Text = cmbPerformers.selecteditem.text

    Where preview is the name of the user control.


    "Russell Jones" <arj1@nospam.northstate.net> wrote in message
    news:3ed4c124$1@tnews.web.devx.com...
    > How are you generating the preview?
    >




  6. #6
    Russell Jones Guest

    Re: Big security problem

    Sorry. I was trying to find out where you're getting the user data displayed
    in the preview. Does the data come from a Session variable? From a file?
    From an Application variable? Is it generated on the fly? The answer more
    than likely lies inside the user control code. Look there.


    "Matt" <matthew@cdpnetworks.co.uk> wrote in message
    news:3ed4c4a8@tnews.web.devx.com...
    > The preview is a user control which is displayed at the bottom of the

    page.
    > The code is typically like this:
    > Dim cmbPerformers As DropDownList = CType(Me.FindControl("cmbPerformer" &
    > CStr(count)), DropDownList)
    >
    > preview.lblPerformers.Text = cmbPerformers.selecteditem.text
    >
    > Where preview is the name of the user control.
    >
    >
    > "Russell Jones" <arj1@nospam.northstate.net> wrote in message
    > news:3ed4c124$1@tnews.web.devx.com...
    > > How are you generating the preview?
    > >

    >
    >




  7. #7
    Matt Guest

    Re: Big security problem

    As the user works through the form, the data they enter is stored in the
    ViewState; but as my code demonstrates, the preview section is generated
    from the content of the server controls on the page.


    "Russell Jones" <arj1@nospam.northstate.net> wrote in message
    news:3ed4d002$1@tnews.web.devx.com...
    > Sorry. I was trying to find out where you're getting the user data

    displayed
    > in the preview. Does the data come from a Session variable? From a file?
    > From an Application variable? Is it generated on the fly? The answer more
    > than likely lies inside the user control code. Look there.
    >
    >
    > "Matt" <matthew@cdpnetworks.co.uk> wrote in message
    > news:3ed4c4a8@tnews.web.devx.com...
    > > The preview is a user control which is displayed at the bottom of the

    > page.
    > > The code is typically like this:
    > > Dim cmbPerformers As DropDownList = CType(Me.FindControl("cmbPerformer"

    &
    > > CStr(count)), DropDownList)
    > >
    > > preview.lblPerformers.Text = cmbPerformers.selecteditem.text
    > >
    > > Where preview is the name of the user control.
    > >
    > >
    > > "Russell Jones" <arj1@nospam.northstate.net> wrote in message
    > > news:3ed4c124$1@tnews.web.devx.com...
    > > > How are you generating the preview?
    > > >

    > >
    > >

    >
    >




  8. #8
    Russell Jones Guest

    Re: Big security problem

    Post the user control code.

    "Matt" <matthew@cdpnetworks.co.uk> wrote in message
    news:3ed4d47f@tnews.web.devx.com...
    > As the user works through the form, the data they enter is stored in the
    > ViewState; but as my code demonstrates, the preview section is generated
    > from the content of the server controls on the page.





  9. #9
    SD Guest

    Re: Big security problem


    "Matt" <matthew@cdpnetworks.co.uk> wrote:
    >Has anyone experienced anything like this?


    This happened to me when I used application variables such as

    (MyClass)Application["DelphiOne"] = new MyClass();

    and used variables in class like the following

    ((MyClass)Application["DelphiOne"]).MyName = "SD";

    There were problems as described by you (one user's data coming on another's
    screen). I solved the problem by replacing the "Application" keyword with
    "Session" keyword. But the session state timeout must be set in web.config
    file. Read the help on VS.NET for more info.
    SD


  10. #10
    Matt Guest

    Re: Big security problem

    Hi. There is not any code within the usercontrol as it's all done from the
    main page like this:

    'FIND THE CONTROL ON MAIN PAGE
    Dim cmbPerformers As DropDownList = CType(Me.FindControl("cmbPerformer" &
    CStr(count)), DropDownList)

    'ADD THE SELECTED TEXT TO LABEL ON USER CONTROL
    preview.lblPerformers.Text = cmbPerformers.selecteditem.text




    "Russell Jones" <arj1@nospam.northstate.net> wrote in message
    news:3ed4f795@tnews.web.devx.com...
    > Post the user control code.
    >
    > "Matt" <matthew@cdpnetworks.co.uk> wrote in message
    > news:3ed4d47f@tnews.web.devx.com...
    > > As the user works through the form, the data they enter is stored in the
    > > ViewState; but as my code demonstrates, the preview section is generated
    > > from the content of the server controls on the page.

    >
    >
    >




  11. #11
    Matt Guest

    Re: Big security problem

    Thanks, but I don't use application variables anywhere.


    "SD" <vb.@127.0.0.1> wrote in message news:3ed50338$1@tnews.web.devx.com...
    >
    > "Matt" <matthew@cdpnetworks.co.uk> wrote:
    > >Has anyone experienced anything like this?

    >
    > This happened to me when I used application variables such as
    >
    > (MyClass)Application["DelphiOne"] = new MyClass();
    >
    > and used variables in class like the following
    >
    > ((MyClass)Application["DelphiOne"]).MyName = "SD";
    >
    > There were problems as described by you (one user's data coming on

    another's
    > screen). I solved the problem by replacing the "Application" keyword with
    > "Session" keyword. But the session state timeout must be set in web.config
    > file. Read the help on VS.NET for more info.
    > SD
    >




  12. #12
    SD Guest

    Re: Big security problem


    "Matt" <matthew@cdpnetworks.co.uk> wrote:
    >Thanks, but I don't use application variables anywhere.


    You said you were using "ViewState" Variables? If so they could be acting
    in a similar way as "Application" variables. Check out.
    SD

  13. #13
    Matt Guest

    Re: Big security problem

    If that's the problem then the whole asp.net platform is flawed surely?


    "SD" <vb.@127.0.0.1> wrote in message news:3ed61d9b$1@tnews.web.devx.com...
    >
    > "Matt" <matthew@cdpnetworks.co.uk> wrote:
    > >Thanks, but I don't use application variables anywhere.

    >
    > You said you were using "ViewState" Variables? If so they could be acting
    > in a similar way as "Application" variables. Check out.
    > SD




  14. #14
    Steve Pierce Guest

    Re: Big security problem



    That certianly has not been my experience. I usually find that problems
    of this nature are found to be flaws in the design or implementation rather
    than the platform.

    I would suggest that you re-cast the process to use session variables rather
    than viewstate to persist data between requests. The network admin can tune
    website performance without app developer intervention easier and the page
    responds much better for our slow-bandwidth customers. Viewstate also has
    the downside of being completely open and accessable to the user and provides
    a security hole itself.

    "Matt" <matthew@cdpnetworks.co.uk> wrote:
    >If that's the problem then the whole asp.net platform is flawed surely?
    >



Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center
 
 
FAQ
Latest Articles
Java
.NET
XML
Database
Enterprise
Questions? Contact us.
C++
Web Development
Wireless
Latest Tips
Open Source


   Development Centers

   -- Android Development Center
   -- Cloud Development Project Center
   -- HTML5 Development Center
   -- Windows Mobile Development Center