+1-888-365-2779
Try Now
More in this section

Forums / Bugs & Issues / SiteFinity 6.3 authenticating incorrect users

SiteFinity 6.3 authenticating incorrect users

12 posts, 1 answered
  1. David
    David avatar
    29 posts
    Registered:
    28 Apr 2009
    11 Feb 2014
    Link to this post
    I am running 6.3 with claims based authentication and a sql membership provider from a previous site. We finished our site last week and brought it up on monday morning. We have started receiving calls that periodically a user will log in and have permissions they should not have and see personal information for other users on the site. For instance one user logged in and saw links to a section of the site that he did not have access to. Out of curiosity he clicked on them and the site allowed him to get to the page even though his user is not in the necessary role . Once there a custom widget pulled a custom field from his profile in order to display information from another database and it pulled the field from a different user profile. When the users logs out and back in they start seeing things that belong to them again. Its seems very much like they some how received an authentication cookie for a different user.

    We have had to shut down the majority of sections of the site in the login only areas because of this and will end up needing to contact end users to let them know that their information could have been exposed to others users. I have pulled a snapshot of the sitefinity database and authentication database and restored it to my dev environment and logged in as the users that contacted us reporting the problem but i have not been able to reproduce it. I have also looked through the database tables for users, profiles, and roles to see if there were duplicate or orphaned records but everything looks clean.

    If anyone has seen similar things or has any ideas on ways of troubleshooting this it would be extremely helpful. If i cannot get this resolved soon i will have to revert to our old website.

    Thanks
    David

  2. Steve
    Steve avatar
    3037 posts
    Registered:
    03 Dec 2008
    12 Feb 2014 in reply to David
    Link to this post
    The only time Ive seen caching issues like this on a control are when they're usercontrols, not simpleview based controls.

    Can you confirm that, and have you tried disabling caching?

    Our site is HEAVILY permissions based and we see none of these problems...odd
  3. David
    David avatar
    29 posts
    Registered:
    28 Apr 2009
    12 Feb 2014 in reply to Steve
    Link to this post
    I am using user controls for some of my stuff. However the navigation is using the standard sitefinity navigation widget and is showing users links they should not have access to when they have this happen. I have data caching turned off at the moment but unfortunately i havnt figured out how to reproduce this yet to see if turning off all the caching will fix it. From what i can tell the site responds to the user exactly as if they were specific other user. They have the other persons permissions, profile etc. Of course this is all based on what was described to me by the users at the moment. The only thing i can know 100% is that my usercontrols pull custom profile fields from the wrong profile when this occurs. In the controls i am using the identity token to get the current user then their profile. I do have to wonder if its something with the sql membership provider as I have run into a bunch of difficulties because of it. I was also looking at the sf_lic_user_activity table and it looks like when this occurs the last logon date for the user whos profile is being pulled is within 2 minutes after the user with the problem. Its a really strange problem.
  4. David
    David avatar
    29 posts
    Registered:
    28 Apr 2009
    12 Feb 2014 in reply to David
    Link to this post
    I wanted to add some more information that i have found in case its helpful. After looking at the activity tables for various database snapshots I found that this only seems to occur on the first time a user logs into the site and they happen to log in within a few minutes of another user who has logged in to the site for the first time. I'm not sure if this could have something to do with how i setup profiles. I am using a sql membership provider for users but using a sitefinity profile. Before anyone logged into the site i went through all the sql users and created their profile in order to import some field values from their old profile. I also am running the site behind a reverse proxy and the entire site must go over https. Im not sure if that would cause a problem but im working on setting up a reverse proxy for my dev environment so i can test it under the same conditions.
  5. David
    David avatar
    29 posts
    Registered:
    28 Apr 2009
    12 Feb 2014 in reply to Steve
    Link to this post

    After further testing I was able to reproduce the issue and it seems to be related to my reverse proxy. When 2 users access the site through the reverse proxy and access a secure area at the exact same time they both seem to get the same response. So one users session now things it is the other users and they get all of that users roles, permissions, profile etc. Has anyone used SiteFinity behind a reverse proxy? I am using IIS ARR as my reverse proxy.
  6. David
    David avatar
    29 posts
    Registered:
    28 Apr 2009
    13 Feb 2014 in reply to David
    Link to this post
    I finally tracked this down and it looks like the issue is IIS ARR is caching cookies. I am working on disabling this cache. 
    Answered
  7. Herbert
    Herbert avatar
    5 posts
    Registered:
    07 Apr 2014
    17 Jun 2015 in reply to David
    Link to this post

    Hi David

    Is this issue solved ?
    I'm facing same issue, i'm using Sitefinity 7 in reverse proxy infra 

    client - internet - load balancer (ssl offloading) - web server(ARR 2.5) - app server - db server

    I have tried to implement Sitefinity load balancer settings, sticky session, change ARR to url rewrite but the issue still persist

     

  8. David
    David avatar
    29 posts
    Registered:
    28 Apr 2009
    17 Jun 2015 in reply to Herbert
    Link to this post

    Ya, once I completely disabled the cache in our IIS ARR server which is acting as a reverse proxy the problem went away. I also have a SharePoint environment running claims authentication which passes through the same proxy and the cookies are not cached so I do wonder if Sitefininty doesn't properly mark the authentication cookies to not be cached. 

     Specifically what I did is went into the caching settings on the ARR farm and set the memory cache duration to 0 and unchecked enable disk cache and set query string support to do not cache. Also from the root IIS server node i went into output caching -> edit feature settings and unchecked all the boxes. 

     I had no actual need for caching for any of the sites passing through my ARR server so completely disabling caching was acceptable for me. I don't remember if i tried just disabling it in the farm first but i feel like I may have. 

  9. Herbert
    Herbert avatar
    5 posts
    Registered:
    07 Apr 2014
    05 Jul 2015 in reply to David
    Link to this post
    Thanks its working
  10. Bianca
    Bianca avatar
    1 posts
    Registered:
    09 Sep 2015
    24 Jun
    Link to this post

    Hi

    We are running version 8.2 and the issue still persists after implementing the above mentioned resolution. Please help.

  11. Svetoslav Manchev
    Svetoslav Manchev avatar
    735 posts
    Registered:
    27 Sep 2016
    29 Jun
    Link to this post
    Hello Bianca,

    We have answer you in the support ticket. Once you have the solution, you can share it with the community.

    Regards,
    Svetoslav Manchev
    Telerik
     
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Sitefinity CMS Ideas&Feedback Portal and vote to affect the priority of the items
     
  12. David
    David avatar
    29 posts
    Registered:
    28 Apr 2009
    29 Jun in reply to Bianca
    Link to this post

    Hi Bianca

    I am now running 8.2 behind my ARR proxy and have not had any reports of this happening since disabling all the cache on ARR. Although just because no one has reported it doesn't mean its not happening so i'll have to do a little testing to try and be extra sure. I would be interested to know what you found out about this so I can double check my own systems. 

12 posts, 1 answered