Security :: Wrong User Being Recognized By HttpContext.Current.Request.LogonUserIdentity.Name?
Nov 30, 2010
I was/am struggling with security for my first MVC applicaiton. It worked out great for me, but not for my users. I wanted to use Windows Authentication (and I seem to have that working). But when I was still trying to implement it, I was on one of our users computers where they were logged in. I navigated to the main Index page and used the supplied MVC login link and *MY* credentials. So now every time that user navigates to that page, it logs her in as me. We are using IE8, I have deleted all the cookies, passwords, forms information I can fine through Tools|Internet Options|Tool|Content|AutoComplete.
View 6 Replies
Similar Messages:
Nov 30, 2010
I have IIS on S2k8 and a website with Windows Authentication only.
I can easily reproduce the following scenario, where HttpContext.Current.Request.LogonUserIdentity.Name has a bad value:
Login to website using FireFox, using an Active Directory account "user" (I could use IE to reproduce the same, but it's a few extra steps)Display <%=System.Web.HttpContext.Current.Request.LogonUserIdentity.Name%> on the pageIt shows "DOMAINuser", which is correctI go into Active Directory and rename the account to be "userX" instead of "user" (both SAMAccountName & UPN)Restart FireFoxLogin to website using "userX" accountThe page still shows "DOMAINuser", instead of the expected "DOMAINuserX"
It seems almost as if IIS has cached the old username and it's not showing me the new one, even though I explicitly enter it in the login prompt.
View 6 Replies
Sep 7, 2010
I create two pages, the first one is the login page with user name and password textboxes - (not asp login control) , when clicking login button I check the login authentication, if it is true redirect to default page. in the default page if !IsCallBack then i check httpcontext.current.user.identity.isauthenticated
if it is false i redirect the user to the login page. but my problem is that the httpcontext.current.user.identity.isauthenticated is always false.
Below the section of authentication in web config
[code]....
View 5 Replies
Jan 18, 2010
We have an SharePoint site no login (anonymous) with a search module using AJAX. Now the users complains that the module isn't working. When I check the code (not developed by me), I find that the code only runs if "HttpContext.Current.User.Identity.IsAuthenticated=true". Could that ever return true on an anonymous site?
View 1 Replies
Feb 2, 2010
What are the differences (behind the scenes) between Page.User.Identity and Request.LogonUserIdentity? Not the differences in type, name, etc but the differences in how they're implemented behind the scenes (i.e. one calls windows xxx api and the other calls asp.net xxx api...).
View 1 Replies
Apr 28, 2010
Why does HttpContext.Current.Request.Url.Host return a different URL than the URL used in the Web browser? For example, when entering "www.someurl.com" in the browser, the HttpContext.Current.Request.Url.Host variable is equal to "www.someotherurl.com".
View 1 Replies
Feb 1, 2010
I've got an ASP .Net application running on IIS7. I'm using the current url that the site is running under to set some static properties on a class in my application. To do this, I'm getting the domain name using this (insde the class's static constructor):
var host = HttpContext.Current.Request.Url.Host;
And it works fine on my dev machine (windows XP / Cassini). However, when I deploy to IIS7, I get an exception: "Request is not available in this context".
I'm guessing this is because I'm using this code in the static constructor of an object, which is getting executed in IIS before any requests come in; and Cassini doesn't trigger the static constructor until a request happens. Now, I didn't originally like the idea of pulling the domain name from the Request for this very reason, but it was the only place I found it =)
So, does anyone know of another place that I can get the host domain name? I'm assuming that ASP .Net has got to be aware of it at some level independent of HttpRequests, I just don't know how to access it.
View 3 Replies
Jul 28, 2010
In an asynchronous process, I need to get the name of the domain/server the web application is running on. But in that situation HttpContext.Current is not available, so I cant use HttpContext.Current.Request.ServerVariables("SERVER_NAME").
View 7 Replies
Apr 15, 2010
I have various web pages that need to build up a URL to display or place it in an emitted email message. The code I inherited had this value for the name of the webserver in a Public Const in a Public Class called FixedConstants. For example:
Public Const cdServerName As String = "WEBSERVERNAME"
Trying to improve on this, I wrote this:
Public Class UIFunction
Public Shared myhttpcontext As HttpContext
Public Shared Function cdWebServer() As String
Dim s As New StringBuilder("http://")
Dim h As String
h = String.Empty
Try
h = Current.Request.ServerVariables("REMOTE_HOST").ToString()
Catch ex As Exception
Dim m As String
m = ex.Message.ToString() 'Ignore this should-not-occur thingy
End Try
If h = String.Empty Then
h = "SomeWebServer"
End If
s.Append(h)
s.Append("/")
Return s.ToString()
End Function
I've tried different things while debugging such as HttpContext.Current.Request.UserHostName and I always get an empty string which pumps out my default string "SomeWebServer". I know Request.UserHostName or Request.ServerVariables("REMOTE_HOST") works when invoked from a page but why does this return empty when invoked from a called method of a class file (i.e. UIFunction.vb)?
View 2 Replies
Oct 6, 2010
When user requests http://localhost/WebApp1/Default.aspx, txtApplicationPath.Text should be assigned "/WebApp1", while txtAbsolutePath.Text should be assigned "http://localhost/WebApp1/Default.aspx", but instead both textboxes display empty strings.
[code]...
View 1 Replies
Oct 20, 2010
am writing a web service in vb.net/asp.net 2, that needs user's name. It works fine when the url request is "www.mysite.com" but if any one has logged-in using "mysite.com" without a "www" and goes to the page that calls my web service, The HttpContext.Current.User.Identity.Name gives null. How can I resolve this problem?
View 2 Replies
May 17, 2010
I have a security manager in my application that works for both windows and web, the process is simple, just takes the user and pwd and authenticates them against a database then sets the Thread.CurrentPrincipal with a custom principal. For windows applications this works fine, but I have problems with web applications.
After the process of authentication, when I'm trying to set the Current.User to the custom principal from Thread.CurrentPrincipal this last one contains a GenericPrincipal. Am I doing something wrong? This is my code:
Login.aspx
[code]....
View 5 Replies
Sep 9, 2010
I am trying to configure one http module(a vb module) on MOSS site. In this module I have entry like below:
Dim roles As String() = Nothing
Dim webIdentity As New GenericIdentity(OracleUser, "Form")
Dim principal As New GenericPrincipal(webIdentity, roles)
HttpContext.Current.User = principal
System.Web.Security.FormsAuthentication.RedirectFromLoginPage(HttpContext.Current.User.Identity.Name.ToString, False)
Due to this I am getting 500 internal server and exception on browser is: Exception of type 'System.ArgumentException' was thrown.
Parameter name: encodedValue
If I comment "HttpContext.Current.User" related two lines then it redirect to form login.
View 1 Replies
May 14, 2010
I have created an ExtendedId class which extends GenericIdentity. (This stores Id as well as name)
In a httpmodule I stored this extended id in Current.User like so:
HttpContext.Current.User = new GenericPrincipal(myExtendedId, roles);
Problem is, later, how do I get at my ExtendedId type again?
If I try this:
ExtendedId eId = (ExtendedId)HttpContext.Current.User.Identity;
View 2 Replies
Feb 24, 2011
I have one IIS entry with AppPool integrated mode. There are 5 or more host headers assigned. The application pulls data based on the host name from Request.Url.Host. When I have 2 or more sites open at the same time the value of the Request.Url.Host is the same across all the sites. About every 30 seconds it resets itself to the correct value from the last request and shows that value on the other sites. So ultimately the sites are loading the same data. The value in the HOST server variable is incorrect as well.
View 1 Replies
Jul 8, 2010
is possible to create another property like 'userid' as i can access like
HttpContext.Current.User.Identity.userid ? if yes , how? (actualy last year i did something like this but i have forgotten
View 1 Replies
Sep 29, 2010
I have an ashx handler that was working fine in VS2008 but when I upgraded to VS2010 (haven't gone back to VS2008 to double check though) and when I try to grab the value from HttpContext.Request.Params["update"] I get the following error:
+ ex {"A potentially dangerous Request.QueryString value was detected from the client (update="<SETIProducts><Produ...")."}
System.Exception {System.Web.HttpRequestValidationException}
View 3 Replies
Apr 9, 2010
We're migrating an application to use IIS7 integrated mode. In library code that is designed to work either within the context of an HTTP request or not, we commonly have code like this:
if (HttpContext.Current != null &&
HttpContext.Current.Request != null) {
// do something with HttpContext.Current.Request
} else {
// do equivalent thing without HttpContext..
}
But in IIS7 integrated mode the check for HttpContext.Current.Request throws an exception whenever this code is called from Application_Start.
protected void Application_Start(object sender, EventArgs e)
{
SomeLibrary.DoSomethingWithHttpContextCurrentDetection();
}
Results in:
System.Web.HttpException: Request is not available in this context
How can I detect whether the request is really available without wrapping these calls in an exception handler and taking action based on whether an exception is generated or not.
Looking at HttpContext in Reflector I see it has an internal bool HideRequestResponse field but it's internal so I can only get to it with reflection and that's fragile. Is there a more official/approved way to determine if it's ok to call HttpContext.Request?
This blog post about the subject says not to use HttpContext, but how, in generic library code, can you determine if it's ok to use HttpContext?
http://mvolo.com/blogs/serverside/archive/2007/11/10/Integrated-mode-Request-is-not-available-in-this-context-in-Application_5F00_Start.aspx
I'm using the work-around mentioned there which is to use Application_BeginRequest and an initialized field to only initialize once as part of BeginRequest, but that has to be done in every calling application whereas I'd prefer to make the library code more robust and handle this situation regardless of where it's called from.
View 4 Replies
Mar 11, 2010
I have a static class with serveral static methods. In these methods, I'm trying to access the current thread's context using HttpContext.Current. For example:
var userName = HttpContext.Current.User.Identity.Name;
However, when I do that, I receive a NullReferenceException, the infamous "Object reference not set to an instance of an object."
View 3 Replies
Feb 15, 2011
I am building a simple intranet site and want to get the employees user name, but when i use Request.LogonUserIdentity.Name , i keep getting the servers credentials and not the users. what am i doing wrong and is there a better way to do this.
View 1 Replies
Apr 29, 2010
We have an application using Windows authentication and have <Domain>olduser account.
We renamed the account in the active directory to <Domain>olduser2
Login to a pc as <Domain>olduser2 and try to access our application.
the problem is we can't login anymore.
when i debug the application, i can see that the HttpContext.User.Identity.Name is still <Domain>olduser.. and not olduser2
View 3 Replies
Mar 4, 2010
i use the CreateUserWizard in order to create users. Asp.net generates automatically a password which is sent to the user by email.
The emailaddress must be like this: firstname.name@ourdomain.be . If 'firstname.name' doesn't exist in our Exchange server ('ourdomain.be'), then:
1) the user is still created
2) the message page with: 'Mailbox unavailable. The server response was: 5.1.1 User unknown' appears
E.g: if user John Wayne introduces by error Jhn.Wayne@ourdomain.be , then this user must not be created, and only a simple Alert-message must appear.
I tried a lot of Try / Catch / Endtry but all my attempts fail: the user is always created and the whole message page appears. I also tried with CreateUserWizard1_SendMailError sub.1
Here the aspx file:
[Code]....
View 3 Replies
Nov 23, 2010
i'm using an example in which i can fake the session.It's for use in a unittest of a mvc controller.In the test i create a controller and then i do this:
FakeHttpContext httpctx = new FakeHttpContext(null,null,null,null,mSessionItems );
ControllerContext ctx2 = new ControllerContext(httpctx,new RouteData(), target);
here mSessionItems is my session and target is my instance of a controller,and indeed, when i'm in a controller reading this.ControllerContext.HttpContext.Session, i have a session, great!but.... i also read the session outside the controller, and there i use HttpContext.Current.Session, and that is null (or actualy, the HttpContext.Current is null).
View 1 Replies
May 20, 2010
How to lock the user with the 3 times entering the wrong password?
View 10 Replies
Nov 23, 2010
I have been experimenting with code that will clear all of the cookies in an HttpContext.Response.Initially, I used this:
DateTime cookieExpires = DateTime.Now.AddDays(-1);
for (int i = 0; i < HttpContext.Request.Cookies.Count; i++)
{
HttpContext.Response.Cookies.Add(
new HttpCookie(HttpContext.Request.Cookies[i].Name, null) { Expires = cookieExpires });
}
this will error with an OutOfMemoryException because the for loop never exits - each time you add a cookie to the Response, it also gets added to the `Request.
View 1 Replies
