Hello

I am developing web application, which is a part of IT project. In my web 
app Administrators can add end-users of this project. My web app is at the 
end of development process (it is on beta tests now) and it is my first 
asp.net project.
I am using asp.net 2.0, SqlServer Enterprise and asp.net ajax framework 1.0 
(to make my site modern)
I am using forms authentication method in my login page. After Administrator 
succesfully logged in (I am using FormsAuthenticationTicket to save some 
information such as user role , then I am going to encrypt this information 
using FormsAuthentication.Encrypt() method and finally I am going to save it 
in Cookie.Value), he is going to choose one of he is profile - he can got few 
profiles (I am saving this information simple in Session.Add method, and then 
checks state of this values and current User.IsInRole method every Page_Loads 
events). In conclusion - we have encrypted ticket with some values and 
session state of previously choosen profile. 
Yesterday I have unexpected encountered this strange situation. After 
succesfully authorization I have made some operations, then I have pressed 
back button om my page (which calls Response.Redirect(Default.aspx)) method 
and suddendly discovered that I have pretended to another logged in user (my 
page is on tests and probably a few people were working in same time as me).
I was logged in as another user (I have lost my ticket and session and get 
session and ticket of another user)!!This situation is frigtened for me. I 
prefer program to crash and send some strange error information than 
situation above.
This situation has never happened to me on local machine and probably can 
happen when 10 or more people are working at the same time.
For me - this situation shouldn't take place - logged in users should be in 
separate threads for iis server and can't cross each other. 
I don't know what to do. I can limit number of connections to small number 
(I think this is the fastest method) but I don't know how it deals with ajax. 
I would like to avoid situation when logged in users suddendly lost their 
sessions according to connection limits.
I would like to ask you for some advices, articles or examples - how to 
configure iis for this kind of situation (Sessions etc - I have default 
settings), how to deal with logging process (some patterns and practices - 
this is my first asp.net project).
I don't know reason of this situation - maybe Session is too large (I am 
collecting   in session state data from database to make google like suggests 
for textbox), maybe ajax and the asynchronous calls make  this strange 
situation (I am using UpdatePanel control in my page - every control in my 
page are inside UpdatePanel).
Maybe Ajax Framework (1.0 version) can't deal properly with big number of 
active sessions..
Thanks in advance

On Aug 15, 9:22 am, peprom  wrote:

> Hello
>
> I am developing web application, which is a part of IT project. In my web
> app Administrators can add end-users of this project. My web app is at the
> end of development process (it is on beta tests now) and it is my first
> asp.net project.
> I am using asp.net 2.0, SqlServer Enterprise and asp.net ajax framework 1.0
> (to make my site modern)
> I am using forms authentication method in my login page. After Administrator
> succesfully logged in (I am using FormsAuthenticationTicket to save some
> information such as user role , then I am going to encrypt this information
> using FormsAuthentication.Encrypt() method and finally I am going to save it
> in Cookie.Value), he is going to choose one of he is profile - he can got few
> profiles (I am saving this information simple in Session.Add method, and then
> checks state of this values and current User.IsInRole method every Page_Loads
> events). In conclusion - we have encrypted ticket with some values and
> session state of previously choosen profile.
> Yesterday I have unexpected encountered this strange situation. After
> succesfully authorization I have made some operations, then I have pressed
> back button om my page (which calls Response.Redirect(Default.aspx)) method
> and suddendly discovered that I have pretended to another logged in user (my
> page is on tests and probably a few people were working in same time as me).
> I was logged in as another user (I have lost my ticket and session and get
> session and ticket of another user)!!


I think it's a bug somewhere in the code, check again how you
authenticate the users.

In general, if you store FormsAuthenticationTicket in a cookies then
you don't need to use the Session object.
In global.asax create a new Generic Principal Instance, add the roles
and assign to current user

protected void Application_OnAuthenticateRequest(Object src, EventArgs
e)
{
   HttpContext currentContext = HttpContext.Current;
   if (HttpContext.Current.User != null)
   {
      if (HttpContext.Current.User.Identity.IsAuthenticated)
      {
         if( HttpContext.Current.User.Identity is FormsIdentity )
         {
            FormsIdentity id = HttpContext.Current.User.Identity as
FormsIdentity;
            FormsAuthenticationTicket ticket = id.Ticket;
            string userData = ticket.UserData;
            // Roles is a helper class which places the roles of the
            // currently logged on user into a string array
            // accessable via the value property.
            Roles userRoles = new Roles(userData);
            HttpContext.Current.User = new GenericPrincipal(id,
userRoles.Value);
         }
      }
   }
}

More info can be found here
http://msdn2.microsoft.com/en-us/library/Aa289844(VS.80).aspx

Hope this helps

Hello

First of all, thanks for your immediate answer. I have done some tests of my 
app (with visual studio team suite) and made load test. During the test 
(where computer simply was logging in, view some things, logging out etc) I 
have turned on the browser and tried to works. I have collected the above 
error but I have made heave sigh of relief when I discovered, that no ticket 
is getting from another user but some session variables only. 
My end user, after succesfull authorization, choose one thing from 
radiobutton (this value is stored in session) and on page UserName is visible 
(loginname web control).
When the test lasts, sometimes I collected LoginName of the user who was 
authorizing in load test, but when I made some request, my user name changed 
to correct user name and I was able to work only with privileges of currently 
logged in user.
But this situation is strange .. My Loginname Control gets Username of 
another user, which is currently performs some operations (automated by the 
load test) ..
I have changed my session settings to store in sql server..
It seems that Some values of another Session Collection (of another user) 
are going inside my current Session Collection and temporary (until next 
request) replace it
Or maybe it is the ajax feature/issue and I should madke page reload.. I 
don't know - this situation appears only when the number of currently logged 
users increase.
My current session settings are: SqlServerMode, timeout 20, cookieless false
Maybe I should decrease timeout ? My FormsAuthenticationTicet is set to 20 
minutes and I don't know it is good setting.
Maybe I should add some code inside OnSessionStart Event inside Global.asax 
file, but what should I add ?
Maybe I should check some on preInit event of page life cycle ?
Any advice ?
Thanks