'securing' cookies/login info

This is an issue I brought up probably a year or so ago, got some advice,
then was sidetracked on the project until now. So, here I am again. ;o)
>
The situation is that we have an older chunk of code I've been tasked to
maintain 'as-is'. It's a CMS we wrote in ASP.net 1.1 about 4 years ago.
>
It works.
>
But we have one major issue and that's when people log in, maybe 5% of the
time, the end up with someone elses credentials. There's multiple things
we're likely doing wrong here, so I'll try to explain all the variables that
would effect this and then ask some specific questions:
>
- a user logs into one of 3 separate apps
- login function is called, which checks their credentials in the DB and
then writes a cookie with their credentials
- every page in the CMS (regardless of which of the 3 apps they are in)
loads a usercontrol onto the page. This usecrontrol then reads said cookie
and sets the value of various PUBLIC SHARED variables.
>
Things that I know are bad:
>
- the fact we used 3 apps. This should be one app.
- we're storing credentials in a cookie. Quite insecure (though not the end
of the world in this case)
- the way I'm reading in the cookie data
>
What happens:
>
- most of the time, nothing. But, once in a while you can tell that a
person has just logged in and from the time they hit LOGIN to the time the
server sends them their web page, someone else has done the same and the
usercontrol reads in the data of SOMONE else's cookie. If the end-user
refreshes the page, then they're back to their cookie.
>
What I could do:
>
1) rewrite the app in asp.net 2.0 and use the built in permissions/roles
system
2) have the cookie only write out their logged-in status and their
username, then check that against the DB each time
3) Not use cookies but session state instead?
4) Fix my bad usercontrol/Public Shared variables?
>
Option 1 and 2 are out as I'm supposed to be touching this code as little as
possible.
>
Are option 3 and 4 viable? What, exactly, is causing my issue (cookie data
being sent to the wrong user?) Is it as simple as fixing the way I'm reading
the cookie? Is it better to use session state?
>
IIRC the last time I went through this, the main issue is the 'SHARED'
variable, which allows every instantiation of it to be 'the' most updated
version that everyone reads. However, I can't remove SHARED as I can't then
access that property from the page that loads the usercontrol. I'm pretty
sure this is all due to me not having a full grasp of OOP and therefor not
creating a new instance of the class I need.
>
_Darrel
>
>
>

or add a lock, so
only one user at a time can use the site (this may be the easiest, as load
does not appear to be a problem)

>
That's what I thought. What I'm not so sure about, though, is what to
replace them with.
>
If I removed the 'shared' declaration, I can't access the variable in the
control from the page that is loading it.
>>
Not sure what you mean by that. Do you mean if someone is using the CMS,
block anyone else from using it?
>
-Darrel
>

properties in the control and set them. The timing is important as if you
set them in the Page_Load event of the page, they won't be available in
the Page_Load of the control since it fires at a different time. The
OnPreRender method of the control will be able to read the properties set
by the page in a Page_Load event. If the code that handles the variables
is loaded earlier, then you can access them earlier in the control's event
lifecycle.

>
good old properties. so, I assume properties don't have the 'shared' issue
with them being shared across the application by each user? If so, that
certainly sounds like the best 'band aid' solution for this project until
it can be rewritten.
>
-Darrel
>