CODEWITHSUNDEEP
asp.netasp.net-membership
Jonny Wilson
Jonny Wilson

Reputation: 177

ASP.NET Membership returning SAME session information for every user

I have an ASP.NET Membership application. I log in as "JONNY" and this is a success. RUPERT then (from a different PC, at a different location) clicks on the members area and he is not prompted to login but he see's Jonny's profile and information. It's as if Jonny clicked "Remember Me", then Rupert comes along top his SAME machine and clicks the link - here, I would expect Rupert to see Jonny's page as it's on the SAME machine and Jonny hasn't logged out. But these two people are in different locations, on difference machines, different IP's etc.

How can this be? 

    public ActionResult Login(LoginModel model, string returnUrl)
    {
        if (Membership.ValidateUser(model.UserName, model.Password))
        {
            // user is logged in here, we know the username is valid...
            var memberStore = new MemberStore();
            var member = memberStore.GetMemberByUsername(model.UserName);

            // but now check if they've confirmed their email
            // if not, sign the session out and show inactive account view...
            if (!member.IsActive)
            {
                FormsAuthentication.SignOut();
                return View("AccountNotActive");

            }
            string[] roleNames = Roles.GetRolesForUser(model.UserName);

            FormsAuthentication.SetAuthCookie(model.UserName, model.RememberMe);

            Settings.Setting.UserSession.Member = member;
            var viewModel = new MyProfileViewModel { Member = memberStore.GetMemberByUsername(model.UserName) };
            viewModel.Role = roleNames[0];

            return View("MyProfile", viewModel);
        }

        // If we got this far, something failed, redisplay form
        ModelState.AddModelError("", "The user name or password provided is incorrect.");
        return View(model);
    }

    public ActionResult Logout()
    {
        Settings.Setting.UserSession.Member = null;
        FormsAuthentication.SignOut();
        return View("LoggedOut");
    }

Upvotes: 0

Views: 162

Answers (1)

Jason P
Jason P

Reputation: 27022

Writing an answer so I can show code. A possible quick fix could look something like this:

public static class UserSession
{

    public static SiteMember Member
    {
        get
        {
            return HttpContext.Current.Session["Member"] as SiteMember;
        }
        set
        {
            HttpContext.Current.Session["Member"] = value;
        }
    }
}

Static members are ok here because the implementation works on values specific to the current user's session.

Upvotes: 2

Related Questions