Sessions mixed up on asp.net site

Question

I am analyzing a problem from an old asp.net site made by one of my colleagues who left the company some months ago.

The problem is that we a few times have expierenced that two users sessions are mixed up, so that if for example two users are logged in, one user sees the other users data. As it happens very rarely (once in a month or so) it is difficult to figure out what goes wrong.

I have now stepped through his code for authentication and it goes like this:

1. The user enter username/password on public page and press submit
2. On Page_Load on Masterpage the code checks in a mySql database that the username/password is valid, not expired etc and return a unique userid if ok
3. The page then saves the loginpage in session like this (used for later logout): HttpContext.Current.Session(Consts.CCookieName_LoginUrl) = Request.RawUrl
4. Then the userid is saved like this: FormsAuthentication.SetAuthCookie(userid, False)
5. Then a redirect to the secure area is performed: Context.Response.Redirect(secureurl, False)
6. In Page_Init of masterpage of secure area the userid is read by: userid = Context.User.Identity.Name
7. the user data is loaded acording to the userid
8. The user navigates the secure area, ie. step 6 - 7 is repeated
9. The user suddently sees another users data

I have some ideas on what is going wrong, but would like to have some input before modifying the code, so please anyone?

Answer 1

It's hard to tell here. Have you configured Form Authentication?

This is the process you have to follow for Form Authentication: In your web.config you setup the authentication system:

<authentication mode="Forms">
    <forms loginUrl="Login.aspx" defaultUrl="Home.aspx" timeout="30" slidingExpiration="true" />
</authentication>

<authorization>
  <deny users="?"/>
</authorization>

Your login page (post-back) checks the credentials (not your master page). If the user is valid then you set the cookie:

FormsAuthentication.SetAuthCookie(userid, False)

and redirect to another page. Now, you have to set your principal reading the cookie here:

protected void Application_AuthenticateRequest(Object sender, EventArgs e) {
    if (HttpContext.Current.User != null) {
        if (Request.IsAuthenticated == true) {    
            // Debug#1            
            FormsAuthenticationTicket ticket = FormsAuthentication.Decrypt(Context.Request.Cookies[FormsAuthentication.FormsCookieName].Value);
            // In this case, ticket.UserData = "Admin"                
            string[] roles = new string[1] { ticket.UserData }; 
            FormsIdentity id = new FormsIdentity(ticket);
            Context.User = new System.Security.Principal.GenericPrincipal(id, roles);
            // Debug#2
        }
    }
}

Obviously, I've simplified, but this is the path you have to follow to do things properly.