Security violation

This topic is locked

Security violation	3/2/2006 10:11:19 AM
ASPRunnerPro General questions
J jerrycook author Hi - This is a strange one!! I have 2 separate Access databases each with an ASP front end. The 2 independant projects are built on the same web server. The user logons are configured similarly ie: Both systems use a login page, and are configured to use user tables within their respective databases. Both are configured to allow guest login with read only access. Each database has different usernames/passwords in its user table. Here's what can happen: Hyperlink for project 1 clicked - challenged for login. A valid username/password for project 2 (not 1) is entered, and rejected (all OK so far). User then logs in as guest. Message "Your session has expired. Please login again." is displayed. User tries to login as guest again. System accepts, and grants read only access on a fresh page. (all OK still). User then closes project 1 without logging out (just clicks X top right). User then clicks hyperlink for project 2, and is challenged for a login User supplies username/password which was rejected at step 2 (This is valid for project 2). At this point the user should be logged into project 2 with appropriate rights as assigned to his user group. However - The system takes the user back into project 1 with admin rights! Appologies for the length of this message - I've tried to be as concise as I can. Any ideas - Thanks Jerry Cook (jcook@oastagencies.com)

Mark as Solved Mark as not solved

5 replies


	Sergey Kornilov admin 3/2/2006
	Jerry, looks like something is mixed here. Did you put both projects to the same folder on the Web server? Each project should go to it's own designated folder.


J	jerrycook author 3/2/2006
	Jerry, looks like something is mixed here. Did you put both projects to the same folder on the Web server? Each project should go to it's own designated folder. Hi - Thanks for your reply. The projects are in their own designated folders. Interestingly, this only happens after the "Your session has expired. Please login again" has been displayed (step 3). Thanks again


J	jerrycook author 3/2/2006
	Hi - Thanks for your reply. The projects are in their own designated folders. Interestingly, this only happens after the "Your session has expired. Please login again" has been displayed (step 3). Thanks again Hi I have found a workround, but I believe there is still an issue here. This sequence of events only seems to happen if the "add admin user that can see and edit all users data" check box is ticked in project 1. If this is taken off, the "Your session has expired. Please login again" message is not displayed, and all appears OK. Hope this is helpfull to you.


	Sergey Kornilov admin 3/2/2006
	Jerry, I see what you saying now. ASP pages store logged user info in Session variables. Session variables are shared between all folders on the Web site. To prevent this from happening make sure you created a separate Application in each folder. In IIS settings right-click on folder, choose Properties->Directory->Create application. In this case Session data won't be shared between projects.


J	jerrycook author 3/3/2006
	Jerry, I see what you saying now. ASP pages store logged user info in Session variables. Session variables are shared between all folders on the Web site. To prevent this from happening make sure you created a separate Application in each folder. In IIS settings right-click on folder, choose Properties->Directory->Create application. In this case Session data won't be shared between projects. Brilliant!! That sorted it all out. I have to say your support is is the best I've come across (and I've been in IT for 25 years). Thanks again Sergey. Jerry

5 replies

Mark as Solved Reply