Authentication issue with session state
Today I am teaching the ASP.NET (2310B) course from Microsoft. In the module on state management, one of my students stumbled across a peculiar behavior. Here is the setting…
Web.config(just relevant content)
1: <configuration>
2: <system.web>
3: <identity impersonate="true" />
4: <authentication mode="Windows" />
5: <authorization>
6: <deny users="?" /> <!-- Allow all users -->
7: </authorization>
8: <sessionState
9: mode="SQLServer"
10: stateConnectionString="tcpip=127.0.0.1:42424"
11: sqlConnectionString="data source=127.0.0.1;integrated security=SSPI;"
12: cookieless="false"
13: timeout="20"
14: />
15: </system.web>
16: </configuration>
As seen above, the application is denying anonymous users, and enforcing Windows authentication. The application is also using the identity element on line 3 to execute in the context of the current Windows user. All of the code in the application making database calls (using windows authentication) works as expected. However, after executing the InstallSqlState.sql script, and using session state, the application threw an exception that the anonymous user (IUSR_blahblahblah) does not have permission with SQL Server.
What I determined from this is that the call for session state data apparently happens prior to the authentication check in the pipeline. To resolve this, the web application in IIS could simply disable the anonymous account, or the connection string could use a SQL login instead of windows authentication.
What I determined from this is that the call for session state data apparently happens prior to the authentication check in the pipeline. To resolve this, the web application in IIS could simply disable the anonymous account, or the connection string could use a SQL login instead of windows authentication.