Security Issue with ASP.NET and SQL Server

Question

A problem appears when two users are logged on to our service system at the same time and looking at the service list gridview. If user1 does a search to filter the gridview and user2 happens to click to another page user2 sees the results from the search performed by user1. That means one company can see another company's data.

It's an ASP.NET application that was developed in house with C#/ASP.NET 3.5. The data is stored in a SQL 2000 database and relies very heavily on stored procedures to update, select, and delete data. There are multiple user types that are restricted to what data they can see. For example, we have a company use that can only see data relavant to that company.

From what I've seen, the security is handled through If statements in the front end. Example, if userlevel = 1 then do this, if userlevel = 2 do this. These statments are used to show or hide columns in a grid, run queries to return data, and any other restrictions needed. For a company user the code behind gets the companyid assigned to the user and uses that in a query to return the results of all the data associated with that companyid (services, ships, etc).

Any recommendations for fixing this will be highly appreciated.

Answer 1

Here is some sample code that is throughout the entire application that is used for filtering results. What is the best way to fix this so that when one user logs on, the other user doesn't see those results?

protected void PopulategvServiceRequestListing(string _whereclause) {

    _dsGlobalDatasource = new TelemarServiceRequestListing().GetServiceRequestListingDatasource(_whereclause);
    if(_dsGlobalDatasource.Tables[0].Rows.Count!=0)
    {
        gv_ServiceRequest.DataSource = _dsGlobalDatasource;
        gv_ServiceRequest.DataBind();           
    }
    else
    {
        gv_ServiceRequest.DataSource=new TelemarServiceRequestListing().DummyDataset();
        gv_ServiceRequest.DataBind();
        gv_ServiceRequest.Rows[0].Visible = false;
        gv_ServiceRequest.HeaderStyle.Font.Bold = true;

    }

}

Answer 2

You basic model should work. What you've told us is not enough to diagnose the problem. But, I've got a few guesses. Most likely your code is confusing UserID or CompanyID values.

• Are you mistakenly storing the CompanyID in the Cache, rather than the session?
• Is the CompanyID stored in a static variable? A common (and disastrous!) pitfall in web applications is that a value stored in a static variable will remain the same for all users! In general, don't use static variables in asp.net apps.
• Maybe your db caching or output caching doesn't vary properly by session or other variables. So, a 2nd user will see what was created for the previous user. Stop any caching that's happening and see if that fixes it, but debug from there.
• Other variations on the above themes: maybe the query is stored in a static variable. Maybe these user-related values are stored in the cache or db, but the key for that record (UserID?) is stored in a static variable?

Answer 3

In addition to jrummerll's answer, check the Data Acces Layer of our app and make sure that you don't have any static variables defined. Having a static variable defined could cause this sort of issue too, since 2 contending requests may overwrite the value of the CompanyID, for example.

Answer 4

You can put that if statements in a thread. Threading provides you the option that only 1 user can access the application or gridview in your case.

See this link: http://msdn.microsoft.com/en-us/library/ms173179.aspx

Answer 5

It's hard to say without seeing any implementation details, but on the surface it appears that there maybe some company level caching. Check for OutputCache settings, DataSource caching, explicit caching with Page.Cache, etc.

This article is a little dated, but at a glance it looks like most information is still relevant in ASP.NET 4.0.

ASP.NET Caching: Techniques and Best Practices