Aspx，类的全局实例，代码结构中可能存在错误

发布于 2024-11-16 10:24:41 字数 725 浏览 1 评论 0原文

我正在追踪一些旧的 aspx 代码中的错误。问题是，在一些非常罕见的情况下（1/10.000 页面浏览量左右），两个用户会混淆，即。用户A看到用户B的数据。

代码的结构如下：我们有一个在模块中定义的用户类，如下所示：

Public Module MyGlobals
    Public myUser As CMyUser
End Module

在登录页面上，我们验证用户名/密码，如果有效，则从数据库加载相应的用户ID，然后我们执行以下操作

FormsAuthentication.SetAuthCookie(userid, False)

：重定向到安全区域。在安全区域 MasterPage 中，在事件 Page_Init 上，我们可以：

If Context.User.Identity.IsAuthenticated then
    ' Initialize the user class (user data is loaded)
    MyGlobals.myUser = New CMyUser(Context.User.Identity.Name)
Else
    ' Redirect to loginpage
End If

此后，访问

MyGlobals.myUser

实例，还是此结构可能存在问题？

原文

I am tracking down a bug in some old aspx code. The problem is that one some very rare occations (1/10.000 pageviews or so) two users are mixed up, ie. user A sees user B data.

Here is how the code is structured: We have a user class which is defined in a module like this:

Public Module MyGlobals
    Public myUser As CMyUser
End Module

On the loginpage, we validate the username/password and if valid then the coorosponding userid is loaded from db, and we do:

FormsAuthentication.SetAuthCookie(userid, False)

Then we redirect to the secure area. In the secure areas MasterPage, on event Page_Init, we then have:

If Context.User.Identity.IsAuthenticated then
    ' Initialize the user class (user data is loaded)
    MyGlobals.myUser = New CMyUser(Context.User.Identity.Name)
Else
    ' Redirect to loginpage
End If

Hereafter, is it safe to access the

MyGlobals.myUser

instance from every page which has the secure masterpage as masterpage, or could there be issues with this structure?

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

辞别 2024-11-23 10:24:41

VB.Net 模块就像 C# 中具有私有构造函数和静态字段的静态类。

这意味着，模块中声明的所有变量都在所有线程之间共享。因此，使用此模块的每个请求（用户）都会覆盖旧值。

我强烈建议使用 Session 来存储用户敏感数据。
但我不确定您为什么要存储用户名，因为它在使用 FormsAuthentication 时已经存储了（如您在上面所示）。

如果您确实需要这个包装器，即使在静态上下文中，您也可以通过 HttpContext.Current.Session 轻松实现它：

Module MyGlobals
    Public Property myUser As CMyUser
        Get
            If HttpContext.Current.Session("CurrentUser") Is Nothing Then
                Return Nothing
            Else
                Return DirectCast(HttpContext.Current.Session("CurrentUser"), CMyUser)
            End If
        End Get
        Set(ByVal value As CMyUser)
            HttpContext.Current.Session("CurrentUser") = value
        End Set
    End Property
End Module

A VB.Net Module is like a static class with a private constructor and only static fields in C#.

That means, all variables declared in a module are shared across all threads. Hence every request(User) that's using this module will overwrite the old value.

I would strongly recommend to use Session to store user-sensitive data.
But i'm not sure why you want to store the Username because it's already stored when using FormsAuthentication(as you've shown yourself above).

If you really need this wrapper, you could easily achieve it even in a static context via HttpContext.Current.Session:

Module MyGlobals
    Public Property myUser As CMyUser
        Get
            If HttpContext.Current.Session("CurrentUser") Is Nothing Then
                Return Nothing
            Else
                Return DirectCast(HttpContext.Current.Session("CurrentUser"), CMyUser)
            End If
        End Get
        Set(ByVal value As CMyUser)
            HttpContext.Current.Session("CurrentUser") = value
        End Set
    End Property
End Module

回复收藏 0 原文

~没有更多了~