SiteFinity 6.3 authenticating incorrect users

Posted by Community Admin on 04-Aug-2018 22:01

SiteFinity 6.3 authenticating incorrect users

All Replies

Posted by Community Admin on 11-Feb-2014 00:00

I am running 6.3 with claims based authentication and a sql membership provider from a previous site. We finished our site last week and brought it up on monday morning. We have started receiving calls that periodically a user will log in and have permissions they should not have and see personal information for other users on the site. For instance one user logged in and saw links to a section of the site that he did not have access to. Out of curiosity he clicked on them and the site allowed him to get to the page even though his user is not in the necessary role . Once there a custom widget pulled a custom field from his profile in order to display information from another database and it pulled the field from a different user profile. When the users logs out and back in they start seeing things that belong to them again. Its seems very much like they some how received an authentication cookie for a different user.

We have had to shut down the majority of sections of the site in the login only areas because of this and will end up needing to contact end users to let them know that their information could have been exposed to others users. I have pulled a snapshot of the sitefinity database and authentication database and restored it to my dev environment and logged in as the users that contacted us reporting the problem but i have not been able to reproduce it. I have also looked through the database tables for users, profiles, and roles to see if there were duplicate or orphaned records but everything looks clean.

If anyone has seen similar things or has any ideas on ways of troubleshooting this it would be extremely helpful. If i cannot get this resolved soon i will have to revert to our old website.


Posted by Community Admin on 12-Feb-2014 00:00

The only time Ive seen caching issues like this on a control are when they're usercontrols, not simpleview based controls.

Can you confirm that, and have you tried disabling caching?

Our site is HEAVILY permissions based and we see none of these problems...odd

Posted by Community Admin on 12-Feb-2014 00:00

I am using user controls for some of my stuff. However the navigation is using the standard sitefinity navigation widget and is showing users links they should not have access to when they have this happen. I have data caching turned off at the moment but unfortunately i havnt figured out how to reproduce this yet to see if turning off all the caching will fix it. From what i can tell the site responds to the user exactly as if they were specific other user. They have the other persons permissions, profile etc. Of course this is all based on what was described to me by the users at the moment. The only thing i can know 100% is that my usercontrols pull custom profile fields from the wrong profile when this occurs. In the controls i am using the identity token to get the current user then their profile. I do have to wonder if its something with the sql membership provider as I have run into a bunch of difficulties because of it. I was also looking at the sf_lic_user_activity table and it looks like when this occurs the last logon date for the user whos profile is being pulled is within 2 minutes after the user with the problem. Its a really strange problem.

Posted by Community Admin on 12-Feb-2014 00:00

I wanted to add some more information that i have found in case its helpful. After looking at the activity tables for various database snapshots I found that this only seems to occur on the first time a user logs into the site and they happen to log in within a few minutes of another user who has logged in to the site for the first time. I'm not sure if this could have something to do with how i setup profiles. I am using a sql membership provider for users but using a sitefinity profile. Before anyone logged into the site i went through all the sql users and created their profile in order to import some field values from their old profile. I also am running the site behind a reverse proxy and the entire site must go over https. Im not sure if that would cause a problem but im working on setting up a reverse proxy for my dev environment so i can test it under the same conditions.

Posted by Community Admin on 12-Feb-2014 00:00

After further testing I was able to reproduce the issue and it seems to be related to my reverse proxy. When 2 users access the site through the reverse proxy and access a secure area at the exact same time they both seem to get the same response. So one users session now things it is the other users and they get all of that users roles, permissions, profile etc. Has anyone used SiteFinity behind a reverse proxy? I am using IIS ARR as my reverse proxy.

Posted by Community Admin on 13-Feb-2014 00:00

I finally tracked this down and it looks like the issue is IIS ARR is caching cookies. I am working on disabling this cache. 

Posted by Community Admin on 17-Jun-2015 00:00

Hi David

Is this issue solved ?
I'm facing same issue, i'm using Sitefinity 7 in reverse proxy infra 

client - internet - load balancer (ssl offloading) - web server(ARR 2.5) - app server - db server

I have tried to implement Sitefinity load balancer settings, sticky session, change ARR to url rewrite but the issue still persist


Posted by Community Admin on 17-Jun-2015 00:00

Ya, once I completely disabled the cache in our IIS ARR server which is acting as a reverse proxy the problem went away. I also have a SharePoint environment running claims authentication which passes through the same proxy and the cookies are not cached so I do wonder if Sitefininty doesn't properly mark the authentication cookies to not be cached. 

 Specifically what I did is went into the caching settings on the ARR farm and set the memory cache duration to 0 and unchecked enable disk cache and set query string support to do not cache. Also from the root IIS server node i went into output caching -> edit feature settings and unchecked all the boxes. 

 I had no actual need for caching for any of the sites passing through my ARR server so completely disabling caching was acceptable for me. I don't remember if i tried just disabling it in the farm first but i feel like I may have. 

Posted by Community Admin on 05-Jul-2015 00:00

Thanks its working

Posted by Community Admin on 24-Jun-2016 00:00


We are running version 8.2 and the issue still persists after implementing the above mentioned resolution. Please help.

Posted by Community Admin on 29-Jun-2016 00:00

Hello Bianca,

We have answer you in the support ticket. Once you have the solution, you can share it with the community.

Svetoslav Manchev

Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Sitefinity CMS Ideas&Feedback Portal and vote to affect the priority of the items

Posted by Community Admin on 29-Jun-2016 00:00

Hi Bianca

I am now running 8.2 behind my ARR proxy and have not had any reports of this happening since disabling all the cache on ARR. Although just because no one has reported it doesn't mean its not happening so i'll have to do a little testing to try and be extra sure. I would be interested to know what you found out about this so I can double check my own systems. 

This thread is closed