Why / When Session Writes Vulnerable To Thread Termination
Feb 15, 2010
THE CODE:
Session["foo"] = "bar";
Response.Redirect("foo.aspx");
THE PROBLEM:
When foo.aspx reads "foo" from the session, it's not there. The session is there, but there's no value for "foo".
I've observed this intermittently in our production environment. But I don't mean here to ask a question about Response.Redirect().
THE EXPLANATION:
Bertrand Le Roy explains (the bolding is mine): Now, what Redirect does is to send a special header to the client so that it asks the server for a different page than the one it was waiting for. Server-side, after sending this header, Redirect ends the response. This is a very violent thing to do. Response.End actually stops the execution of the page wherever it is using a ThreadAbortException. What
happens really here is that the session token gets lost in the battle. My takeaway there is that Response.Redirect() can be heavy-handed
with ending threads. And that can threaten my session writes if they occur too near that heavy-handedness.
THE QUESTION:
What about ASP.NET session management makes it so vulnerable to this? The Response.Redirect() line of code doesn't begin its execution until the session write line is "finished" -- how can it be such a threat to my session write? What about the session write doesn't "finish" before the next line of code executes? Are there other scenarios in which session writes are similarly (as though they never occurred) lost?
View 3 Replies
Similar Messages:
Apr 2, 2010
I want to remove checked items from checklistbox (winform control) in class file method which i am calling asynchronously using deletegate. but it showing me this error message:-
Cross-thread operation not valid: Control 'checkedListBox1' accessed from a thread other than the thread it was created on.
i have tried invoke required but again got the same error. Sample code is below:
[code]....
View 1 Replies
Nov 25, 2010
We have a web site which implements a central HttpSessionState management in App_Code like this:
[code]...
All of this worked fine ultil we needed to implement a time consuming process in a new thread...
In the second thread HttpContext.Current.Session is null (we know its because the current context its different between threads) so everything fails :
Investigating we found that you could pass the session from one thread to another like this:
[code]...
View 2 Replies
May 5, 2010
I want to use session in thread class but it return null in parent that is the page class.
View 4 Replies
Mar 1, 2011
Since I changed from statemode"inproc" to stateserver I canīt se changes done to de session vaiable in a thread. I can only see the first value set to the session variable!
View 6 Replies
Nov 19, 2010
The reason this question came up, is because if I run my website application with a SQL Server data store, and I terminate the browser (terminating the session), I try to open up SSMS to edit the DB. But I can't access the database because I believe there is still an open connection, even after application termination.
Is it recommended to close the database connection upon session/application closing? Or am I way off on what I'm thinking could be the problem?
View 15 Replies
Oct 2, 2010
I have a problem with a Model Popup Extender that monitoring a background thread.
I need to give feedback to the user about tasks that happend in the server side.
So searching on internet this give me a solution [URL]
Launch a thread, passing the Session variable, update a flag and a mesage and show the info in the web with a timer.
almost all, is fine, in one server (sadly, close to production) after the task (and thread) is completed, the Session variable is set to null and the user is redirected to a "Session Expired" Page.
[code].....
I noticed that this is a very slow server and some websites are very slow.
Session is managed with cookies and the timeout is set to 30 min.
View 1 Replies
Jun 27, 2011
If a user clicked on a button, which runs a one minute process that MUST stay connected to the file (through the use of FileStream) for writing purpose, and he/she accidentally closed the browser. Currently, when that happens, if the user clicks on the button again, it will return an exception saying that the file is still being used. The part where I write to the file, the code for that is in a class library, which has a destructor (or finalizer, whichever), which calls a Dispose() method. It would usually take about 20 seconds before the file is free again to be used, but is there a way to make it quicker?
I'm thinking the way I'm designing my web app is not the conventional way. How do most people avoid this situation (ie. accidentally closing browser) where a file/resources are not freed up? Do they write into a SQL server instead of a flat file?
View 4 Replies
Jan 27, 2010
How can we debbug a multi-thread program to see local variables of each thread using visual studio 2008.
View 1 Replies
Nov 24, 2010
I'm new to threading and have used it successfully, but limited. I can spawn a thread and have the main thread reference variables in the spawned thread, but I don't know how to allow the spawned thread to reference (and update) variables in the main thread.
Any example threading code I've seen on the web appears to be WAY more complicated than what I do, so I am unable to understand or integrate into my code.
Here is a quick example of how I use threading:
[code].....
View 3 Replies
Nov 1, 2010
I'm using a literal to display some javascript on a product page control. Basically what I'm doing is in my code behind I'm declaring a new stringbuilder, writing the script while inserting some dynamic variables to populate the script then setting the literal text to the stringbuilder. This leaves me open to xss attacks. What can I do to prevent this?
System.Text.StringBuilder sb = new System.Text.StringBuilder();
//loop through items in the collection
for (int i = 0; i < _prod.ActiveProductItemCollection.Count; i++)
{
sb.Append("<script type='text/javascript'>");
//add +1 to each item
sb.AppendFormat("mboxCreate("product_productpage_rec{0}",", i+1);
[code]...
View 4 Replies
Sep 29, 2010
Is this LINQ statment vulnerable to SQL injection?
var result = from b in context.tests
where b.id == inputTextBox.Text
select b;
where context is an Entity and tests is a table. I'm trying to learn LINQ and I thought that the benefit of it was that it wasn't vulnerable to sql injection, but some stuff I've see has said differently. Would I need to parametrize this LINQ statement to make it safer? If so, How? Also would this be considered linq to sql or linq to entities?
View 6 Replies
Jan 23, 2011
using a linqDataSource control... in the selecting event I have code like the following for a simple search feature:
[Code]....
In general, would dynamically building the 'Where' property of a linqDataSource be vulnerable to sql injection? Or does the control protect against this internally?
View 6 Replies
Mar 24, 2010
I am reading the Asp.net security documentation on msdn.I come across these tow terms and get really confused.
# WindowsIdentity = WindowsIdentity.GetCurrent()
which returns the identity of the security context of the currently executing Win32 thread.
# Thread = Thread.CurrentPrincipal
which returns the principal of the currently executing .NET thread which rides on top of the Win32 thread.
View 1 Replies
Jun 25, 2010
I have a password page and when someone enters an incorrect password I want to simply foil a brute force attack by having
bool isGoodPassword = (password == expected_password);
lock (this)
{
if (!isGoodPassword)
Thread.Sleep(2000);
}
I would expect that this would allow all correct passwords without stalling, but if one user enters a bad password another successful password from a different user would also be blocked. However, the lock doesn't seem to lock across ASP.NET threads.
View 4 Replies
Aug 27, 2010
I want a example of multithreading .i want to use it in a web form not on console.i am using C#.net .and how to use thread.sleep method for a particular thread.
View 5 Replies
Mar 1, 2011
I was performed tests againts my web server using Shadow Security Scanner with the following results:
Web Servers : Vulnerable script
Port : 80
Description: Found vulnerable script on this web site
Risk level :High
Script: http://servername/ScriptResource.axd?d=P4tzN-eCJlchxi30M7K6eGzyH7tdeY4timDGCw0yDS45Ur477KM8CSqJQdqun4VDGbs5xXGPE 7VeqXqRIDyOHxwoopCbgbWmKFLiyKB1Qs5UDJTyZQYe4zURSEshSBwPOm1hORh40237AJZ_EWO2n2-3IwAzTY__px0r6WbIYgWamkVz0&t=/etc/passwd
CVE : GENERIC-MAP-NOMATCH
Why ScriptResource.axd is a vulnerable script?
View 1 Replies
Dec 29, 2010
I am developing an ASP.NET application that takes user input and serializes them into a text file. Now, when a second update request comes while the file is still being written, an IOException will be generated.How do I handle concurrent update request to this file?
View 2 Replies
May 13, 2010
In my website I have configured the following in the web.config
[Code]....
Following is a line in my HttpHandler
[Code]....
Issue is that I cannot see anything written in the file. File gets created but nothing is written in it.
View 1 Replies
Jan 3, 2010
ASP.net radiobutton change event writes the new selection to an XML file and that needs to be shown on the page but does not show the changes on the page since the page load occur before the event fires. give some insight how to resolve this.
View 2 Replies
May 21, 2010
I get this error while trying to run my project: "Column name 'UserID' appears more than once in the result column list." Indeed, the query generated in my SqlTableProfileProvider.vb is the following (text in brackets [] has been changed):
"IF EXISTS (SELECT 1 FROM [table] WHERE UserId = @UserId) BEGIN UPDATE [table] SET UserID=@Value0, LastUpdatedDate=@LastUpdatedDate WHERE UserId = '[Guid]'END ELSE BEGIN INSERT [table] (UserId, UserID, LastUpdatedDate ) VALUES ('[Guid]', @Value0,
@LastUpdatedDate) END"
I'll emphasize that the above statement is generated in SqlTableProfileProvider.vb, which was written by .Net people. While I have little control over its source, I've apparently given the fodder whereby the mistake can be generated. Any clues as to why UserID is being written twice in the statement?
View 2 Replies
Dec 11, 2010
i want to search a text in the database even if user writes wrong spelling.
I am using LIKE operator. But I am not getting exact result.
For example: I want to search 'Norrebro' if user types 'Norebro' (wrong spelling)
LIKE operator does not work in this case. So how can I get the exact result??
View 1 Replies
Feb 21, 2011
I am working in a school and we recently installed a new server running WinServer 2008R2. I want to be able to point people to a URL on our intranet and have them fill out a simple registration form and have this data written to a database. It would also be nice to have some data auto-populate (such as their name).
Is it overkill to set up a sharepoint server and try to do this with Access Webforms? Could I use something like dotnetnuke and find a module that works? Or how about options for writing custom forms?
View 3 Replies
Jan 2, 2011
I need an explanation regarding some advice I got on this site. I'm doing a newsletter sending app, and I have my mail sent in a seperate thread so the process doesn't slow down the whole web site. A couple of people advised me to set the threads IsBackground property to true. I did this, but was also courious about what this does, so I googled a bit.
As it turns out, setting the IsBackground property to true indicates that "it's okay if the process shuts down while this thread is still running.". Or as microsoft puts it "Any remaining background threads are stopped and do not complete." I don't know if I got this the wrong way but, wouldn't it be better to leave the IsBackground property to false, so that the spawned thread can complete its work regarding the main thread?
View 2 Replies
May 8, 2010
I want to execute a process, but after the process is done i would like to execute a query so i know this process is done.The process called ffmpeg is quite big so i start it and wait til its done with this coding:
ffmpeg.Start(); // start !
View 5 Replies
