1

A problem appears when two users are logged on to our service system at the same time and looking at the service list gridview. If user1 does a search to filter the gridview and user2 happens to click to another page user2 sees the results from the search performed by user1. That means one company can see another company's data.

It's an ASP.NET application that was developed in house with C#/ASP.NET 3.5. The data is stored in a SQL 2000 database and relies very heavily on stored procedures to update, select, and delete data. There are multiple user types that are restricted to what data they can see. For example, we have a company use that can only see data relavant to that company.

From what I've seen, the security is handled through If statements in the front end. Example, if userlevel = 1 then do this, if userlevel = 2 do this. These statments are used to show or hide columns in a grid, run queries to return data, and any other restrictions needed. For a company user the code behind gets the companyid assigned to the user and uses that in a query to return the results of all the data associated with that companyid (services, ships, etc).

Any recommendations for fixing this will be highly appreciated.

Improve this question
3
  • Where is the company ID stored? Commented Jan 25, 2012 at 17:40
  • Not sure how that would happen? Is a regular table being created/destroyed on the backend instead of using temporary tables? Or is the data being loaded into some static variable in the application before being sent to the UI? Not sure how else this would be happening? Commented Jan 25, 2012 at 17:44
  • I don't think I totally understand the problem... If the company is being fetched from the user and being sent in to the query... And presumably the query is filtering on company that company info, why would you think the wrong data would be brought back? Commented Jan 25, 2012 at 17:47

5 Answers 5

Reset to default
2

It's hard to say without seeing any implementation details, but on the surface it appears that there maybe some company level caching. Check for OutputCache settings, DataSource caching, explicit caching with Page.Cache, etc.

This article is a little dated, but at a glance it looks like most information is still relevant in ASP.NET 4.0.

ASP.NET Caching: Techniques and Best Practices

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Caching is old way to implement these issues. New is threading sync.
Do you have some documentation to back that up? Caching is a very common performance technique in ASP.NET.
In my most of the applications, I used threading. Never used caching or any Sessions. They will try to KILL you after a while.
Sure, you can abuse Cache and Session and cause all kinds of problems, but you can also do the same with Threading :). Cache and Session definitely have their place in stateless web development.
1

In addition to jrummerll's answer, check the Data Acces Layer of our app and make sure that you don't have any static variables defined. Having a static variable defined could cause this sort of issue too, since 2 contending requests may overwrite the value of the CompanyID, for example.

Improve this answer

Comments

1

You basic model should work. What you've told us is not enough to diagnose the problem. But, I've got a few guesses. Most likely your code is confusing UserID or CompanyID values.

  • Are you mistakenly storing the CompanyID in the Cache, rather than the session?
  • Is the CompanyID stored in a static variable? A common (and disastrous!) pitfall in web applications is that a value stored in a static variable will remain the same for all users! In general, don't use static variables in asp.net apps.
  • Maybe your db caching or output caching doesn't vary properly by session or other variables. So, a 2nd user will see what was created for the previous user. Stop any caching that's happening and see if that fixes it, but debug from there.
  • Other variations on the above themes: maybe the query is stored in a static variable. Maybe these user-related values are stored in the cache or db, but the key for that record (UserID?) is stored in a static variable?
Improve this answer

1 Comment

It could be a static variable. The main statement that gets the data is built like this:protected void PopulategvServiceRequestListing(string _whereclause) The _whereclause is populated based on the user level. My guess is when user 1 does a query, the _whereclause is populated with his data and user 2 then gets that same string instead of the one built based on their level.
0

You can put that if statements in a thread. Threading provides you the option that only 1 user can access the application or gridview in your case.

See this link: http://msdn.microsoft.com/en-us/library/ms173179.aspx

Improve this answer

Comments

0

Here is some sample code that is throughout the entire application that is used for filtering results. What is the best way to fix this so that when one user logs on, the other user doesn't see those results?

protected void PopulategvServiceRequestListing(string _whereclause) {

    _dsGlobalDatasource = new TelemarServiceRequestListing().GetServiceRequestListingDatasource(_whereclause);
    if(_dsGlobalDatasource.Tables[0].Rows.Count!=0)
    {
        gv_ServiceRequest.DataSource = _dsGlobalDatasource;
        gv_ServiceRequest.DataBind();           
    }
    else
    {
        gv_ServiceRequest.DataSource=new TelemarServiceRequestListing().DummyDataset();
        gv_ServiceRequest.DataBind();
        gv_ServiceRequest.Rows[0].Visible = false;
        gv_ServiceRequest.HeaderStyle.Font.Bold = true;

    }

}
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.