Security :: Detect Multiple User Logging Into The Same Domain In One Browser?
Jul 12, 2010
Two users using the same machine, same browser.
User 1 logs in the domain.
User 1 changes some data without saving it.
User 2 logs in the domain in a separate tab.
User 1 switches back to his tab and saves the data.
User 1 actually saved the data into User 2!!
This is caused by the following mechanism:
Different tabs in the same browser seems to share the same session id. We are storing user auth in cookie and the cookie is shared between tabs (same domain)
Therefore, when User 1 request to save, it is recognized as User 2 since the cookie has been updated to User 2.
So I'm wondering if there's any other methods to prevent this from happening, other than:
1. Use cookieless session so the session is embedded in uri.
2. Always include a hidden field in page to indicate which user owns the page.
View 1 Replies
Similar Messages:
Jul 10, 2010
So its a ASP.NET problem where two users using the same machine, same browser:
User 1 logs in the domain.
User 1 changes some data without saving it.
User 2 logs in the domain in a separate tab.
User 1 switches back to his tab and saves the data.
User 1 actually saved the data into User 2!!
This is caused by the following mechanism:
Different tabs in the same browser seems to share the same session id.
We are storing user auth in cookie and the cookie is shared between tabs (same domain)
Therefore, when User 1 request to save, it is recognized as User 2 since the cookie has been updated to User 2.
So I'm wondering if there's any other methods to prevent this from happening, other than:
1. Use cookieless session so the session is embedded in uri.
2. Always include a hidden field in page to indicate which user owns the page.
View 3 Replies
Sep 20, 2010
We use windows authentication. User opens our website in tab1 and does some action but with out clicking on save he opens a new tab tab2 and opens the same website again. Now, if the user session in tab1 is active i need to warn users that the he is already logged on to application in some other browser and go to some log out page. But if the user session in tab1 is timed out then he must be able to continue with the website in tab2 as usual, but if he tries to do anything in tab1 he should go to session expired page.
I tried implementing it in following way.
I have a hidden field in each page which will be set to unique Id using GUID.NewID().
when user requests for a page the following code is executed.
[Code]....
View 1 Replies
Jul 28, 2010
Im building a web application that charges for access on a per user basis. Ive used standard roles and membership for setting up accounts and logging in. I want to ensure that a client cant use the same user details to login more than once
ie if user abc1 is already logged in, someone else cannot login again using the same credentials
View 6 Replies
Apr 26, 2010
FormsAuthentication.RedirectFromLoginPage(txtUser.Text, false); After doing this, the user is logged in with the txtUser.text
But the question now is, how do i retrieve that user name from Authentication or whatever on other pages? is it possible or not?
Because i know that person stays logged in untill he logs out with this code: FormsAuthentication.SignOut();
And one more question i dont know is this one good for this or not how do i better check if the person is typed in correct name and pasword or not, with executescalar or executereader?
View 6 Replies
Feb 4, 2010
I have a login form from the membership and I am trying to make it so that it would redirect depending on role. I have tried to put this code under login1_loggedin but it didn't seem to work. how can I do this?
View 1 Replies
Dec 16, 2010
I am looking at how best to prevent a single user account logging on multiple times in a webforms application. I know that MembershipUser.IsOnline exists, but I've read a few forum and blog entries suggesting that this can be unreliable, particularly in scenarios where a user closes a browser (without logging out) and attempts to logon with a different machine or browser.I looked at implementing a last past the post type system; when a user logs on older users are simply kicked off. It seems that FormsAuthentication.Signout() only works for the current user.
View 2 Replies
Oct 27, 2010
I am currently using the built in ASP login function... the destinationpageurl of that login function locates to "loginhome.aspx" for all users... but for one specific user ("Admin") it needs to link to "adminhome.aspx"... just wondering whats the best way to do this? Can I change the destinationpageurl of the login function depending on the user or creating an admin role so "If membershiprole = 'Admin' redirect to 'adminhome.aspx' End If" or can I just add some code behind the login function so "If User.login.Name = 'Admin' Then destinationpageurl = 'adminhome.aspx' End If" think I have already tried this on the login1_authenticate event but it didn't work
View 3 Replies
Jun 18, 2013
I have a web application that runs via IIS 7 what i want to do with the application (Asp.net with C#) is only load if the browser is greater than IE9, or greater than or equal to Chrome27 or greater than or equal to firefox19.
How to do this or areas i should read to do such a thing?
View 1 Replies
May 19, 2010
I have this web application built. I am using windows authentication for this application. I have to log all the user activity as wells as site activity in this application. I have the below mentioned class established to log some activity regarding the user to an SQL server database table..
[code]....
I would still need to log many other items regarding the user and also the site, like the time spent by the user on the site, no: of currently logged in users on the site. Can anyone here suggest me as to how do I capture those items?? let me know if I am going in the right direction too.....?? If you can provide me with some links on this "user activity logging for windows authenticated applications".
View 3 Replies
Nov 8, 2010
We are upgrading the asp.net 2.0 web application to asp.net 4.0. The application contain three main modules (sub application) like End User, Franchise and Admin with separate web.config, asp.net form Authentication, login page and running with single domain. the URL like,mydomain.com/login.aspxmydomain.com/franchise/login.aspxmydomain.com/admin/login.aspx In asp.net 2.0, working fine with 3 sub applications with separate form authentication under a single domain name and also we can working with all threes in same time. After the up gradation process (ASP.NET 2.0 to 4.0),We didn't run all three applications in same times and also form authentication crossed.
View 2 Replies
Sep 8, 2010
Let's say that you have 2 or N domains pointing on the same ip address, your server (in my case Windows Server with IIS) and you want to make custom site for every domain name so you have to detect which domain is user currently using.
There should be two "custom sites". One is Administration aplication site with just one domain name pointing on it, and the other is aplication that handles multiple domain names and based on it displayes different sites.
Good example is shoutem network. At [URL] is administration page and aplication instances are [URL]and [URL], separate aplication that handles different domain names.
View 3 Replies
Jul 16, 2010
If I have a generic public asp.net website, I want to know who is visting my website (I know how to get that), but more importantly, I want to know what company the user is from (is this a microsoft employee viewing my website, or a Coca Cola employee viewing my site or is this person using a home computer to view my site). How can I determine the computers domain name? Hope this is making sense. Update: At most companies, I have seen the company name included as the "Full Computer Name" or the Domain value in "Computer name, domain and workgroup settings". Thats what I am looking to access.
View 3 Replies
Apr 5, 2010
All I'm trying to do is pull the current user's login name from Active Directory. I've tried User.Identity.Name.ToString, which returned nothing at all. I tried Environment.UserName.ToString, Which returned "NETWORK SERVICE" which is not the firstname.lastname username that I was expecting.
View 3 Replies
Jan 12, 2011
I think my subject line explains my problem in a nutshell.. I have a login page, I login like I should and everything works.I logout and when I type/paste the address to the page, in the address field, I still reach it just like if I was still logged in..The page I type in the address field is in a subfolder, only suppose to be able to be reached by logged in users and in this folder,ith it's own web.config-file:
<?xml version="1.0"?>
<configuration>
<system.web>
[code]...
View 9 Replies
Jan 7, 2011
I have a message board pulling user-submitted posts stored in SQL server. When users submit their post, they may enter something like "www.asp.net" in plain text, but I want it to show up as a hyperlink on the board. How can I accomplish that? I'd also like to identify @replies and show them in a different color, and I believe one method should be able to do both.
View 3 Replies
Mar 9, 2010
Im working on an application that has a login section that accepts a username and password. On successful login a userid is returned and encrypted with TripleDesKey. The user details are then stored in a session object. We already have a class library that performs encryption and decryption using a key in the web.config file. I basically want to be able to access the user details of the currently logged in user in a page accessed from the main site that may be in a different domain, but is effectively part of the same site, so I wont have access to the session object from the main site. so basically a user logs in, I have the user details stored in a session object, I also have access to the encrypted userid also in a session object. If a user then clicks a link to another page that is in a different domain, how do I persist the userID?
I suppose I could I tag the encrypted userid to the querystring, but security could be an issue here (even though the id is encrypted, someone could still modify it)
View 2 Replies
Jul 16, 2010
We are using IIS6 and .Net Framework 2.0 for our intranet with Windows and Digest Authentication . We have 2 domains that have access to this intranet. I suddenly have the need to display slightly different content for users from Domain A. The changes are rather trivial (text on a label and and image in a header) but important to our stakeholders.
View 4 Replies
Jun 18, 2010
I want to make my domain administrators the administrators to my web application so that they are the only ones that can change content. All other users would simply be able to read the material. I am relatively new to web apps and I can not seem to find what I am looking for anywhere on the net.
View 2 Replies
Jan 27, 2011
Can I get who the remote user is on IIS Server that is not part of the domain without challenging/prompting the user? I am thinking not, but wanted to see if anyone had a different answer. I added the server to my intranet zone but that didn't cause IE to send any user information. Or maybe it did but since the IIS server is not part of that domain it can't do anything with the user information. I am looking at the ServerVariables in the Request object.
View 1 Replies
Oct 7, 2010
I am using Form Based Authentication in my application. I am using standard method to create FormsAuthentication cookie using
FormsAuthentication.SetAuthCookie('username', boolRememberMe)
FormsAuthenticationTicket ticket =
new FormsAuthenticationTicket(1,
username, DateTime.Now, DateTime.Now.AddMinutes(60),
remember, UserObject.Entity.UserName);
When clicked on particular URL, i need to pass whether user has checked REMEMBER ME CHECKBOX while logging in. How can I determine this using FOrmsAuthentication mechanism?
View 3 Replies
Dec 23, 2010
I have a machine in MyDomain on which i have deployed the website and file server as virtual directory. For file server i have created an application pool with identity as UserName and Password. And file server directory setting as Integrated Windows Authentication instead of Anonymous Access. When i am accessing file server from outside the domain then it is asking for user name password. After providing the credentials it open the file. Now i am trying to access the file server from wbsite using the machine outside the domain.Before accessing i am impersonating the current user with user which is present in identity. But after redirecting to the file server url it is again asking the credntial. why it is asking the credential if i have already impersonated the user.
View 4 Replies
Oct 27, 2010
I am using forms authentication in asp.net application. This is working fine in internet explorer. Opening application in firefox is also fine but when i login in second instance of firefox, application in first instance logs out. Following is my code for creating ticket and cookie.
FormsAuthenticationTicket objTicket = new
FormsAuthenticationTicket(1, sUserName,
DateTime.Now,
DateTime.Now.AddMinutes(60),
false,
"");
HttpCookie objCookie = new
HttpCookie(FormsAuthentication.FormsCookieName);
objCookie.Value = FormsAuthentication.Encrypt(objTicket);
objCookie.Expires = DateTime.Now.AddHours(1);
HttpContext.Current.Response.Cookies.Add(objCookie);
View 1 Replies
Feb 17, 2011
I have also installed SSL on a subdomain. I have put payment page under this sub domain.
View 4 Replies
Sep 28, 2010
My feeling says it's not posible but anyway I am curious if there is at least a workaround for accomplish this.Basically I am working at my client site and my machine is not connected to the domain.What I want to do is running a web application locally under a domain account, and using the webdev server.The webapp uses the default authentication, windows authentication that is.I tried using impersonation with domainuser & password but I got the following error Could not create Windows user token from the credentials specified in the config file. Error from the operating system 'Logon failure: unknown user name or bad password.I have to mention that the username and the password are correct.
View 2 Replies
