Base solution for your next web application
Open Closed

Login Issue #7838


User avatar
0
PhilWynn created

Hi,

Having been successfully hosting our Aspnet Zero based system for several years, we have just encountered a security problem.

A user logged on to a recently created tenancy only to find that the tenancy/user label in the top right corner was referring to a different user on tenancy to which he had no connection.

The menu items he reported seeing were consistent with the permissions of the user labelled in the top right corner, but the data he was seeing was correct for the tenancy to which he logged on.

Please note the following:

  • I could find no record in the UserLoginAttempts table for this particular login
  • I could find nothing in the error logs to suggest what the problem was
  • There is no chance that the user labelled in the top right corner could have ever logged on from that machine
  • I am running Aspnet Zero v4.0 on MVC/Jquery.
  • I upgraded to ABP v4.5.0 a few months ago.

This is of great concern to us, and am hoping you would be able to shed some light on this.

Many thanks.

Additional information: I have just been informed by my client that the login mentioned above was done via the Linked User functionality. It has also happened once more, this time via an impersonation login


6 Answer(s)
  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi @philwynn

    Using Linked User functionality or impersonation, a user can see data of another user. Is that the case your client is having ? Probably I couldn't understand the problem very well :).

    Thanks,

  • User Avatar
    0
    PhilWynn created

    Hi,

    Yes, I am obviously aware that this is the purpose of Linked Users and Impersonation.

    The problem we had is that the system displayed tenancy/user information in the header label that was not related to the tenancy/user that was linke to/impersonated. Although, the data displayed was for the correct tenancy.

    Also worth mentioning, the correct user/tenancy label was displayed after a page refresh.

    I have added some additional logging here to help diagnose the problem. So far, it has happened twice.

    Regards

  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi @philwynn

    Thanks, got it now. If you can provide a way to reproduce it, we can take a look.

  • User Avatar
    0
    PhilWynn created

    HI,

    Unfortunately, the bug is intermitent, and I have been unable to reproduce it at will. I have improved logging in this area, so will have more to go on if and when it happens again.

    Please could I request that we keep this ticket open for the time being so that I can get back to you if I have any more information.

    Many thanks.

  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi @philwynn

    Sure, we can keep it open. If you can send the log files, we can also examine them.

  • User Avatar
    0
    ismcagdas created
    Support Team

    This issue is closed because it has not had recent activity for a long time.