Relogin using different user , can access the previous user login page

Hi  there ,

I am using ASP Net 2.0 and its login controls. I face security loophole in which within the same IE Window, the 1st user access a page and left for long time. And the 2nd user click on it and get redirect to login page. The second user login and can see the last page that the 1st user left.

Why ? Any workaround for this ?

Thanks 

0
whkwan
2/17/2006 11:20:01 AM
asp.net.security 27051 articles. 1 followers. Follow

1 Replies
801 Views

Similar Articles

[PageSpeed] 38

Hi wkhwan,

When the user logs in the second time, they will by default be send back to the page that they were previously on.  Note that they will be accessing the page as the second user though -- *not* the first -- so there shouldn't be any security loopholes.

If you want to always send a new logged in user to a specific page (and not back to where they came from) you can also set the "DestinationPageUrl" property on the login control and point them at a specific destination.

Hope this helps,

Scott

0
ScottGu
2/18/2006 6:55:17 PM
Reply:

Similar Artilces:

bug ?? Relogin with different user, can see the last access page of the previous user logout using LoginStatus ??
Hi, I still dont understand why when user click Logout on the LoginStatus link, it does not clean up his last page access. When  another user ( with different role too) login using the same IE window, he get redirect to the previous user's last page access. Surprise to me and it looks like a security flaw. And thus i have to manually put codes to run formauthentication.signout as what Asp.net 1.1 usually do !!   Why loginstatus does not clean up the last user session ?? And furthermore, is there any method in loginstatu...

Directing users to different pages after login depending on login user name
how can i direct my application users to different pages depending on the users login user name. Iam thinking that it would make sense if  users who enter data are directed to a data entry page after logging in and users who run reports are directed to a report page though both users will have to sign in from one login page. Iam open to any idea as long as it acompolishes this task.--------------------------------------------------No Project Too Eazy.--------------------------------------------------...

Is there a method I can use to capture the page a user was on before being directed to the login.aspx page?
I am building a website where I want to protect some MP3 files.   See  http://forums.asp.net/thread/1238152.aspx   So what happens is a user goes to one of either two  aspx pages where the secured MP3 links are located.   When they click on a hyperlink to open up the MP3 they are sent to the login page.   When they go through the login process successfully I want to be able to send them back to one of the two pages where they were before they were redirected to the login page.   How can I do that?   I can hardcode the response redirect to ...

Creating a user to login with using the Login Control and the Ad provider... can't log user in after creation
  Hi I'm trying to create a user in AD from a web form, and then have the user be able to login to a web form with the login control and the Ad provider.   I have a user created by someone else in AD that can log in, but when I create the user using the code below they can't login.   Does anyone have any idea what I'm not doing to enable this user correctly, hes in the same ou and the same groups as the user that can login. the only difference i can see is the display name is not set and the AdminCount has not been set yet...&n...

Detect that user needs a different role to access a page or folder, and issue a message instead of just going to Login page.
I am using asp.net forms authentication and using web.config entries to require users to have certain roles to access certain folders, and certain pages. It works well. Except, when users are not in the role that is required for a particular page, they are taken to the login page, with no explanation. So they try to login again, but still are not in the required role, so bounce back to the login page. They see this as a bug, "my login doesn't work, I got kicked off the site".  Does anyone know a simple way to detect what has happened and give an expl...

how to have a access control in the login page with different user?
i need to have a access control for administrator and user, e.g like admin can only access to "Payment" page, and user can only access to "home" page, can anyone provide the coding for me.  i using asp.net web matrix visual basic. You can use ASP.NET's Url authorization feature for this.  Take a look at: http://samples.gotdotnet.com/quickstart/aspplus/doc/authorization.aspx for the basics of how it works. Since you want different authorization rules for different pages/directories, you need to use the <location /> element: <location path="AdminOnly">  &n...

how can i implement login & authorization for users and role based application security without using built in contols like CreateUserWizard or login or something else
hi i'm neeraja i'm new to this .net, and i'm implementing application security can anyone help me out that how can i implement login & authorization for users and role based application security without using built in contols like CreateUserWizard or login or something else  Hi,Check out this linkhttp://www.codeproject.com/aspnet/formsroleauth.asp this will guide you to do the role base security .RegardsGanesan S"Hard Work Never Fails"Please "Mark as Answered" if helpful for you....

Routing unauthenticated users to login page, then onto the intended secure page after login
Ok, in my setup, I made a folder called "Secure" and in the ASP.NET web administration tool via VWD, I added an access rule that denies anonymous users access to aspx files in that folder.  Now, when I directly type in a URL pointing to an aspx file in the "Secure" folder when I'm unauthenticated, the system knows to route me to the login page (I'm using the default membership provider in VWD), and after successful login, to the secure page that was the intended destination.  So I thought all was good.  For reference, here's how it looks li...

Authenticated users not getting access to secured pages????? What can I do?
Ok I have a simple login page using the login control. Once the user's name and password is found it should take them to main.aspx page. Only authorized users can access teh main.aspx page. Heres teh code for that:Protected Sub Login1_Authenticate(ByVal sender As Object, ByVal e As System.Web.UI.WebControls.AuthenticateEventArgs) Handles Login1.Authenticate        Dim Authenticated As Boolean = False        Authenticated = Authenticate(Login1.UserName, hashPwrd())        e.Authen...

Cannot open user default database. Login failed. Login failed for user 'DOMAIN\User'. (.Net SqlClient Data Provider)
Hi when i try and open a database in sql server management studio i get the error "Cannot open user default database. Login failed. Login failed for user 'DOMAIN\User'. (.Net SqlClient Data Provider)", what can i do to rectify this, i have googled around and still havent found no answers. Which authentication mode is your Sql Server configured - MixedMode, Windows Authentication or Sql Server Authentication? Please refer to http://msdn2.microsoft.com/en-us/library/ms366351.aspx and http://blogs.msdn.com/sql_protocols/archive/2006/02/21/536201.aspx    Ple...

show each user pages which can access, without using membership or roles
 hi i have the following scenario:each employee authorized to just enter some pages in web site, as an example : jack can enter page 1 ,2 and 3 ,mary can enter page 1 and 3;i want each employee to see a treeview that show him/her the pages that can enter; what is the best way to implement this dynamic view, i mean, i want each employee when enter to see a treeview with pages that can access and i need to keep this tree view alife while he is logging on.HINT: i am not using neither membership nor roles in my web site, i have my own database to store users and to store pages which t...

How can I access a control on a master page from a user control using properties?
Hi, I have a master page which I'm using on my aspx page.  Within this aspx page is a user control and I would like to set a label on my master page using a value from my user control. I can do this using FindControl as shown below but I would like to use properties in my master page. The following code in my user control works perfectly: Label theFormName = (Label)this.Page.Master.FindControl("lblFormName");theFormName.Text = "My Test Form"; However I've been told that using properties is a much better ideas (errors would be picked up at compile time an...

can i use forms authentication to support multiple users with multiple login pages
hi all my web application is having 3 users; admin, vendor and customer. i cannot implement the security using role based authorization as these there are not roles but three entities in my application. i have 3 directories under the web root named admin, vendor, and customer. ecah user have access to files inside only one directory that corresponds to their name. i have 3 login pages for the 3 users. i tried to put seperate web.config files on the three directories, with the web.config in the root directory setting forms authentication on. the problem is that i can't put t...

Accessing User.ProviderUserKey through Page.User
I'm currently using the standard SqlMembershipProvider that ships with ASP.NET.  I have used the aspnet_regsql tool to add the membership tables to my database.  I would like to access User.ProviderUserKey on my pages and I'm wondering what the best way of doing this is. Let me explain... Most tables in my database have a UserId (uniqueidentifier) column that stores the UserId of the user who contributed each row into the table.  In my pages that provide insert functionality I would like to just call the Insert method passing a reference to either my user or just the u...

Web resources about - Relogin using different user , can access the previous user login page - asp.net.security

Trump's Appeal as American as Andrew Jackson
After the Paris attack, conventional wisdom held that Republican voters would finally turn away from political outsiders and reward candidates ...

The best gaming deals you can snag on Black Friday
Black Friday shoppers, it's your time to shine. Whether you're standing in line at 3 a.m. or clicking "add to cart" while eating turkey, there ...

Google Compare Mortgages tool launches in California
When it comes time to buy a new home or refinance an existing home, finding the right mortgage isn't always easy. Google has launched a new tool ...

U.S. retailers hunt for cyber attacks after malware warning leading into holiday shopping season
BOSTON (By Jim Finkle, Reuters) – U.S. retailers are hunting for evidence of new breaches leading into the holiday shopping season after a cyber ...

California city to pay $4.9 million over fatal beating of homeless man
The city of Fullerton, California, agreed on Monday to pay $4.9 million to settle a lawsuit brought by the father of a homeless man beaten to ...

Apple Pay will launch in China early next year, says WSJ
Apple's latest iPhones have been a raging success in China, so the lack of Apple Pay in the nation has been a sore point. That's about to change ...

Turkey shoots down Russian plane in airspace near Syria
President Barack Obama’s meeting with France President Francois Hollande has probably gotten a bit more interesting after reports indicate Turkey ...

Dell admits installing security hole on laptops, apologizes, offers fix
Dell acknowledges a root certificate it installed on its laptops was a bad idea and is pushing a patch to permanently remove it. In a blog post ...

Own your drone: the US is one step closer to drone registration
A new report for the US Federal Aviation Administration (FAA) has recommended that drones weighing over 250g should be officially registered ...

HBO doesn’t even care about spoilers for the next season of ‘Game of Thrones’
SPOILERS for the next season of Game of Thrones Believe it or not, I’ve actually been trying to avoid Game of Thrones spoilers for months. To ...

Resources last updated: 11/24/2015 1:56:13 PM