Vulnerability in EPiServer.Forms
Thanks In Advance!
I am showing a list of users with LastActivityDate but I am getting LastActivityDate as CurrentDatetime from Membership.GetUser Method,Can anybody tell me why this?
Are you getting any data from the user's profile at the same time? I think that might update the activity date.
Which MembershipProvider is this?
I am using Sql Membership Provider
The lines of code are
MembershipUser mUser = Membership.GetUser("email@example.com"); EPiServerProfile profile = EPiServerProfile.Get(user);
Try commenting out the EPiServerProfile call and see if it stops updating the activity date.
It seems this is very low-level. It's actually the stored procedure (!) aspnet_Profile_Get_Properties which updates the membershipUser directly in the database with the last activity date. You can of course change the stored procedure to omit this update. Not a very good solution, but perhaps the only one :(
Yes, the SqlProfileProviders implementation in stored proc. aspnet_Profile_GetProperties do actuallyupdate the lastActivitYDate field:
... IF (@@ROWCOUNT > 0) BEGIN UPDATE dbo.aspnet_Users SET LastActivityDate=@CurrentTimeUtc WHERE UserId = @UserId END...
Edit: Sorry, didnt see Magnus post above, thus the duplicate...
Thats working but if i have to show info from profile than what i have to do?
Then you'll have to change the stored procedure, remove the section Johan pasted in his post above.
Another (ugly) option would be to call the UpdateUser() on the MembershipUser right after getting the proile.That would write back the old activityDate previously read...atleast theoretically, I havent tried this myself.MembershipUser mUser = Membership.GetUser("nospam@localhostuseremailnospam@localhost@firstname.lastname@example.org@localhost"); EPiServerProfile profile = EPiServerProfile.Get(user);mUser.UpdateUser();
Perhaps, or explicitly getting the date from the membership user, storing it in a local variable while reading the profile and then setting it back in the membership user. But any way you'd have to remember to do that in every place of the code where you get the profile.
You could of course subclass the profile and put the hack in there somewhere. Or somehow change the call to the stored procedure so that it calls some custom implementation with a different name - that way you'll at least notice if the customized procedure is not available in the database (I mean, if you run the site with a different database or some update for aspnet rewrites the stored procedure).
I think SP option is better than Updateprofile,anyway Thanks for your efforts.
will not update lastactivitydate. (or am I missing something here...)
The problem is the call to the EPiServerProfile/ProfileBase (which is used in the same context), which updates the MembershipUser's LastActivityDate on the database level.