Security :: How To Stop Users Accessing Other's Data
Jul 12, 2010
We have a few scenarios which mean users can see other users data if they're on the same machine.
Scenario 1
Login User A Browse to forms with perosnal data Logout User A Login User B Either hit back button until you reach User A's personal data or.. Use browser history to jump directly to user A's personal data.
Scenario 2
Login User A Browse to forms with personal data Close browser New Browser, Use history to go directly to User A's data.
The 2nd one was caused by the browser displaying the page from its cache, so for that one, I added the following to the web.config..
[Code]....
[Code]....
which seems to do the trick, but I need to know how to fix the first part and whether the web.config changes are all that's needed to clear any cache.
I have a web site with an administrative section. All administrative pages are stored in a directory called "db/administration". There is only one user that I want to have access to the pages in this directory. That user's username is "system". Currently, I am using the following approach in my web.config file:
[Code]....
When I logged in as another user, I was still able to access pages under db/administration when I navigated to them through the browser's address bar. What am I doing wrong?
I need to stop users users using the browser back button and potentially submitting an old version of a form.
I'm storing a guid in a session variable and also writing the value to a hidden form field and then checking the session value against the hidden field value if a user does try to navigate back and submit an old form.
If the form is submitted and the user wants to complete a new copy of the form then a new guid is generated both to the session and to the hidden form field. Now, if the user decides to hit the back button a few times to get the old form and tries to submit it again, the page checks the current guid in session against the guid stored in the form field and it finds a mismatch and prevents the form being submitted.
This works as expected in Chrome and Firefox, but in IE6, when the user hits the back button to view the old form, the new guid value appears in the hidden field of the old form! This means the user can submit the old form again, which we definitely do not want.
I've got a website and we just had a huge jump in traffic. Now all of the sudden we're getting sql parameter errors left and right. We switched to a new sql server a few weeks ago and everything has been fine but the added traffic seems to be breaking us.
I have a data access class that is called when each user trys to logon. It runs through several tasks before finally updating the users last login date and forwarding them to the administration section.
What I'm seeing from the trace logs suggests that when I'm logging in the first several tasks are using my data (lets say user=birk pass=word). But at some point the accessor class starts sending over the data from someone else who's trying to login (lets say user=abcxyz)
Every connection we make to the server is closed when we're finished with it. I'm nulling out all of the accessor objects when I'm finished with them. But somehow different user data from different sessions are making their way into other peoples instances of the object.
I'm not using session/application/cache/viewstate to store the objects so I'm not really seeing how they could edit eachother... Its just really weird and I'm not sure how to even go about researching the problem.
This is roughly the accessor class... I trimmed out some of the parts that weren't reliant to the issue
My testers have discovered that if you type free text into a file upload input then none of the buttons on the page work until that text is removed (so the page cannot be submitted).
I am able to replicate this with the following ASPX code (with no code behind):
(Note that I haven't bound any handlers to the page; despite this, the page is submitted when the submit button is clicked only if no text is entered into the upload text box)
Is there any way to prevent users from typing free text into a file upload control? It seems that this is only possible in IE - Firefox and Chrome natively prevent text from being entered into upload input fields.
I've seen solutions elsewhere which suggest hiding input and replacing it with a label / button combo, but this seems like it might cause more problems and work inconsistently across browsers.
I have created small webapplication. I kept Login Control and Logout Control. I want to keep one Security issue. No user can access data without login. For example when we want to post any Question in this website Users should login Like that i want to do to my website.
We have implemented the ASP membership and roles..and we would like to display the users currently logged in and also display the number of users online so we can display that on the page. The list of users woudl only be available to our admins. BUt the number of users will show for everyone.
How to Protect Web services from Un authenticated users.. right now Im Using Protected Access specifiers.. Is it Correct method To Protect Web services?
I just realized after i created a test account i was not in any roles. Is there a way to automically add new users into the role Users? Have i missed this some where?
I need to do an insert into a database table (SQL Server). I want to compute value of 1 column based on the existing data and then do an insert. How do I prevent another user from getting access to the database in the middle of this process?
i am still relatively new to web development and have been encountering some issues when multiple users click a button at the same time.
i was wondering what could be causing this as i have already removed all static variables realiseing that was a mistake and replaced them with viewstates were needed then sessions when moving across pages
I have an ASP.Net 4.0 web application which very frequently loads data from the database and does heavy calculations on it. I want to cache this loaded and prepared data in a central cache that can be accessed by every user and computer who uses the application.
Simple use-case:
User 1 accesses webpage, cache is empty, data is loaded/calculated, data is cached User 2 accesses webpage, cache contains data, data loaded from cache User 3 accesses webpage, cache contains data, data loaded from cache User 1 reloads webpage, cache contains data, data loaded from cache Cache expires User 3 refreshes webpage, cache is empty, data is loaded/calculated, data is cached
I know that ASP.Net has a built-in cache mechanism. What I don't know is whether it can be shared between different users accessing the site on different computer at the same time. I would also like to know how the system behaves in a web farm environment.
i have create web application for school management system...bt when i run my webside...(my welcome page is defaul.aspx bt if i want to acces studentdetail.aspx then i only enter url and i get studentdetail.aspx)
this is the ecenario, we're developing a web application in vb.net using vwd 05, and everthing has been great so far, we've recevied a lot ideas from the guys on this great forum. now we're facing a problem relating with usernames and userids.Our web application has 5 different roles, and theres a funtionality needed on a dropdownlist related to the user roles.
we're trying to store users full name and other data, i've seen the tutorials about storing addtional information and everthing is very clear there, the problem now is this code we have already to fill a dropdownlist.
Dim techUsers As String() = Roles.GetUsersInRole("tech") For Each usr As String In techUsers DropDownList1.Items.Add(usr) Next
So basically were looking at storing the user id of the user just created with the create new user wizard to our table where full name is gonna be stored.
table is like this:
userid
full name
and other data required here. etc
so basically, we're filling the dropdownlist with the usernames of the users in the tech rol with the coded i posted above, but we need to instead of showing the username(which is our case is just number) ,show the full name of that users belonging to the tech role, obviouly its just a query, but how to get the full names of users beloning to a specified role? thats the main question and problem we have right now.
i working on event managment registration and i need to make a roll for visitors and roll for exhibitors isitor most enter data to visitor profile with data likefirst name,last name , DOB, Mobile Number, tel , fax and exhibitor most enter data to exhibitors profile data with different data .it's easy to make it for visitor or exhibitors with one profile how to make it with different data profiles what the logic to make that
Im building a web application that charges for access on a per user basis. Ive used standard roles and membership for setting up accounts and logging in. I want to ensure that a client cant use the same user details to login more than once
ie if user abc1 is already logged in, someone else cannot login again using the same credentials
i used security in login page which restricts all users who have not logged in to all pages. I need to restrict specific users to specific pages. I'm not using AspSqlService provider. So i cannot create roles and restrict automatically. And the pictures i use in login page are not visible @ runtime.
Working on my first asp.net webpage. i have followed video tutorials and implemented asp.net membership for login/security.Using Visual Studio 2010 i can open the Asp.net configuration page for management locally.But then if I want my site admin to manage users/security online, how is this done? Like manage through a web browser. I guess this asp.net configuration GUI is not available on the internet?
