ASP NET MVC last logged in user always replaces the previous logged in user

Question

User1151703306 posted

Hi,

I have an ASP NET MVC app.

On this ASP NET MVC app getting the current user with

Welcome <strong>@HttpContext.Current.User.Identity.Name</strong>

But I have verified that the last logged in user always replaces the previous logged in user

e.g.

the user Foo connects at hours 11:35 and on the View of app, I see on the browser

Welcome Foo

the user Foo2 connects at hours 11:45 from other devices and on the View of app, I see on my browser

Welcome Foo2

The user Foo replaced on the app user Foo2...

If restart browser I see always

Welcome Foo2

How do fix this?

What is wrong?

Thanks

Answer 1

User753101303 posted

Hi,

This kind of behavior happens with agressive server side output caching or when using static data shared accross all users (a static method or property returning user or request scoped data is ok).

You are using System.Web.HttpContext.Current.User.Identity.Name (in a view it should be exposed as Context.User.Identity.Name) or could it be that you are porting to ASP.NET Core and tried to implement a custom replacement for that? 

Answer 2

User1151703306 posted

Thanks for reply.

If change in the View (index.cshtml) from

Welcome <strong>@HttpContext.Current.User.Identity.Name</strong>

to

Welcome <strong>@Context.Current.User.Identity.Name</strong>

I have this error

 CS1061: 'HttpContextBase' does not contain a definition for 'Current' and no accessible extension method 'Current' accepting a first argument of type 'HttpContextBase' could be found (are you missing a using directive or an assembly reference?)

This MVC app working only th browser Google Chrome (company standard)...

How can I avoid user replacement? 

Answer 3

User753101303 posted

This is:

@Context.Current.User.Identity.Name

For now I'm trying to understand what happens. Those built in methods are returning the correct user ie the authenticated user for the http request that is currently processed by your code and they work fine out of the box.

So for now I would see:
- you are using your own HttpContext.Current.User.Identity.Name. I see that sometimes when porting from ASP.NET 4.x to ASP.NET Core. if not implemented correctly it could cause this
- else if you are using server side output cache, the content cached for a user could be reused for another user causing the wrong name to be shown
- the common cause is using static data (ie having a single value for all users) but it doesn't seems the case here (unless this is actually your own custom implementation)

If using really ASP.NET 4.x and the build in System.Web.HttpContext.Current.User.Identity.Name (it is exposed as shortcurt in web forms, controlers, views, razor pages) it always worked fine for me out of the box and never heard about a problem on that from others so more likely something wrong was done.

Answer 4

User1151703306 posted

In my case it's not about porting from ASP.NET 4.x to ASP.NET Core

On controller.cs I have

    public class NoCache : ActionFilterAttribute
    {
        public override void OnResultExecuting(ResultExecutingContext filterContext)
        {
            filterContext.HttpContext.Response.Cache.SetExpires(DateTime.UtcNow.AddDays(-1));
            filterContext.HttpContext.Response.Cache.SetValidUntilExpires(false);
            filterContext.HttpContext.Response.Cache.SetRevalidation(HttpCacheRevalidation.AllCaches);
            filterContext.HttpContext.Response.Cache.SetCacheability(HttpCacheability.NoCache);
            filterContext.HttpContext.Response.Cache.SetNoStore();
            base.OnResultExecuting(filterContext);
        }
    }

On global.asax

        protected void Application_PostAuthorizeRequest()
        {            HttpContext.Current.SetSessionStateBehavior(System.Web.SessionState.SessionStateBehavior.Required);
        }

Answer 5

User753101303 posted

This is an attempt to solve your issue or you configured a cache and this particular action is not supposed to be cached at all? If you configured cachiing options try perhaps to disable them all for now and see what happens?

Also my very first move would be to show a date/time next to the user name to be 100% sure if it looks like a caching issue or if this is really some unexpected behavior in the user name.

Beyond that I'm don't see how I could make that to happen with the correct built-in http context access methods. ah BTW which authentication method do you use? If this is a custom principal it could be coding error (maybe with static data) causing the last created custom principal being used for all users ???

Answer 6

User1151703306 posted

Ok thank you.

I have tried using Google Chrome browser, using my pc, with 

Welcome <strong>@Context.User.Identity.Name  @DateTime.Now</strong>

the return is

Welcome Domain\foo 22/01/2021 16:45:03

After I'm connected from mobile device using Internet Samsung browser and using user Domain\foo2

the return is

Welcome Domain\foo2 22/01/2021 16:50:35

When refresh the browser on my pc and go and refresh on mobile device the return is

Welcome Domain\foo 22/01/2021 16:51:46

The user Foo replaced on the app user Foo2...

Answer 7

User-474980206 posted

as you did not show the values for both the pc & mobile refresh, did the times match? the whole point of the exercise 

Answer 8

User1151703306 posted

bruce (sqlwork.com)

as you did not show the values for both the pc & mobile refresh, did the times match? the whole point of the exercise 

I show the values of both the pc & mobile refresh...

First access from pc

Welcome Domain\foo 22/01/2021 16:45:03

First access from mobile device 

Welcome Domain\foo2 22/01/2021 16:50:35

Last access from pc after refresh

Welcome Domain\foo2 22/01/2021 16:51:46

The user foo2 replaced on the app user foo...

First access from mobile device

Welcome Domain\foo2 22/01/2021 16:55:13

First access from pc

Welcome Domain\foo 22/01/2021 16:58:33

Last access from mobile device after refresh

Welcome Domain\foo 22/01/2021 16:59:53

The user foo replaced on the app user foo2...

Answer 9

User-474980206 posted

the timestamp shows the page is not cached. this implies a coding error where somewhere the user is stored in a static. if your view is really using:

@HttpContext.Current.User.Identity.Name<

 then your code to load the identity into the context is wrong. you don't show this code.