HttpContext.Current.User.Identity.Name Returns wrong user name

Question

It is a Plain ASP.NET application using SQL Membership Provider for authentication. While application runs good most of the time. We have recently seeing complains from users saying they are seeing other users account.

I am pretty sure & confirmed again I directly consume HttpContext.Current.User.Identity.Name in the code to get user information. So under heavy load I get different user name returned.

Has anyone faced similar issue ? Have possible cause ?

Application Runs in ASP.NET 4.0, Web Forms , No caching ,Not handled any cookies in code, no Javascripts that is sniffing cookies.

I see these two links taking about same but no answers posted.

http://bytes.com/topic/asp-net/answers/324385-serious-issue-httpcontext-current-user-identity-name

http://www.experts-exchange.com/Web_Development/Miscellaneous/Q_21105924.html

Answer 1

Forms Authentication shouldn't be related to Membership provider too much.

FormsAuthentication saves signed user information into .ASPXAUTH cookie. And when next request comes to server, it decrypts cookie value and set it back to HttpContext.Current.User.Identity.Name. It uses MachineKey for encryption\decription. Then it creates FormsIdentity object based on FormsAuthenticationTicket object that holds username. So, your userName is stored on client. And whole this process doesn't include usage of Membership provider.

Forms Authentication uses Membership only when you do login for user, and then based on logged in user FormsAuthentication creates a cookie with UserName.

About your problem, you need to check .ASPXAUTH cookie value for those requests who has invalid UserName. You can try to log cookie information for these bad requests, and then you can decrypt them to get userName info from request. Or if you can reproduce it locally you can disable Forms cookie encryption (protection element), and then check it's value for bad requests