How could ASP.NET forms authentication session leak into a different site?

We’re dealing with a vulnerability where a forms authentication from one site can be used within a separate site. I can’t figure out how is IIS or ASP.NET allowing this to occur


  1. Login to as user “admin”
  2. Save authetication cookie value
  3. Go to and use “EditThisCookie” extension to create a matching authentication cookie from step 2
  4. Submit that to bypass site2’s authentication using site1’s cookie (Logged in as “admin” on site2. Confirmed that I’m looking at site2’s data – not some kind of alias of site1)


  • 1 IIS Server (Windows 2016)
  • 2 ASP.NET4 sites ( and
  • site1 cookie name is SITE1_AUTH, and site2 cookie name is SITE2_AUTH
  • using inproc session storage
  • using separate application pools for site1 and site2
  • cookies specify full domain ex: (not
  • In the code it’s using FormsAuthentication.SetAuthCookie()
  • site1 and site2 have same user user1

I created a dummy test code to try to reproduce this issue using the relevant ASP.NET authentication code and web.config. I can’t reproduce it in the dummy code though. It only works in the actual (large) application. For that reason I can’t share the relevant source code, so I would be able to accept any hints for further exploration as a solution.

ASP.NET CORE validate is not a function – manual validate trigger

I have a simple core app generated from core MVC template. Scaffolded some controllers and views and I was good to go.

I have tested validation with jquery validate unobtrusive. When I use attributes in my models like [Required] everything works, the form is not submitted unless there is everything according to validation rules.

However, on a different page, I need to trigger validation manually. Both functions valid() and validate() throws

typeError validate() is ont a function

However when I go var pas = $ ('form')[3] and call pas.jQuery331028614785259688062.unobtrusiveValidation.validate()

validation is triggered properly and displays a validation message. Problem is that this long jQuery string is every time different, therefore I cannot accept using just this string every time as this changes.

I have checked my scripts jquery validate is referenced properly, after jquery and validation scripts are initialized through @{await Html.RenderPartialAsync("_ValidationScriptsPartial");}

Any ideas?

Authorization using Entity Framework in ASP.NET MVC

1. Backstory

I recently starting programming and I found out that Entity Framework works perfect for my small-sized applications due its simplicity.

I’ve made my custom authorize attribute for MVC controllers and controller methods to check if the current user has a certain role (which is an enum type in my case).

The following code represents my authorize attribute:

public class HasRoleAttribute : ActionFilterAttribute {     private Role _role;      public HasRoleAttribute(Role role)     {         this._role = role;     }      public override void OnActionExecuting(ActionExecutingContext filterContext)     {         var context = new FactoryManagementContext();          var userName = filterContext.HttpContext.User.Identity.Name;         var user = context.Users.FirstOrDefault(item => item.UserName == userName);                var hasRole = user.Role == _role;          if (user == null || !hasRole)         {             // If this user does not have the             // required permission then redirect to login page             var url = new UrlHelper(filterContext.RequestContext);             var loginUrl = url.Content("/Account/Login");             filterContext.HttpContext.Response.Redirect(loginUrl, true);         }     } }  public enum Role  {     Engineer,     Manager,     Admin } 

2. Question

It works as a charm, but I have only one question: is it necessary to initialize the database context every single time when authorizing a user?

How to retrieve value from a view going to a controller using AJAX in ASP.Net MVC?

I have a hard time passing the value of a string entered in the textbox going to the controller using AJAX.

I’ve tried this one but it didn’t work.

    <input type="text" name="refID" id="refID"><br />     <button type="button" class="submit">Submit</button>  $  (document).ready(function () {         $  (".submit").click(function () {             alert("hahaha");             $  .ajax({                  type: 'GET',                 url: '@Url.Action("TransactionVerification", "Dashboard")',                 data: {                     RefID: $  ("#refID").val()                     },                 success: function (response) {                     $  (".content").html(response);                 },                 error: function () {                     alert("Problem on uploading file");                 }              });          });       });  

The Controller

 public async Task<ActionResult> TransactionVerification(String RefId)         { //some code }  

When I debug the value of the RefId in the controller is always null.

Guardar la suma de en la base de datos

Hola yo tengo una suma en asi:

protected void Button1_Click(object sender, EventArgs e)         {             double a = Convert.ToDouble(Numero1.Text);             double b = Convert.ToDouble(Numero2.Text);             double resultadosum = a + b;             Resultado.Text = resultadosum.ToString();         } 

y la vista de la suma esta hecha en aspx necesito el resultado de la suma guardarlo en una base de datos, ya cree la base de datos y tambien añadí el modelo en asp.