Backendless Support
 
Waiting for user's response

Backendless.UserService.LoggedInUserId() returned wrong user

Hi, I have some .net code which returns the ID of the current user. While testing yesterday it mysteriously retrieved the wrong user. That user I don't know the password for so there is no way I could have logged on as that user. Would you mind just checking this code for me in case I have misunderstood the docs. Unfortunately I can't replicate the strange behaviour again, but it definitely happened!

So I logged in as User A on my web login page. Then in the users details page of the same web app I try and retrieve the details of User A using the code below. However what actually happened is that it showed the details of User B. If this helps to understand what happened then I noted that User B had actually just signed up as new Backendless User as their name was the latest User on the Backendless console. It looks like rather than picking up the logged in user of my web application I am somehow retrieving the last user who has interacted with the Backendless App as a whole instead.

Apologies for the longer wrong introduction, but I hope it makes sense and I hope you can see how important it is we retrieve the correct user!!

//This is a .net .aspx web page. The user has logged in or signed in on a previous .aspx page in the same web application. Using Backendless 3

//firstly I check if the user has a valid login

loginSuccess = Backendless.UserService.IsValidLogin();

//if logged in then I want to retrieve the user so that I can display the users information to the user on the page.

if (loginSuccess == true){

//get the currentUserID

String currentUserId = Backendless.UserService.LoggedInUserId();

//now (as a bit of a sidenote I think this line should work, but it actually crashes)

//loggedInUser = Backendless.Data.Of<BackendlessUser>().FindById(currentUserId);

//so I use a longer version which works, but not very pretty!

String whereClause = "objectId = '" + currentUserId+ "'";

BackendlessDataQuery dataQuery = new BackendlessDataQuery(whereClause);

dataQuery.PageSize = 1;

BackendlessAPI.Data.BackendlessCollection<BackendlessUser> theUsers = Backendless.Data.Of<BackendlessUser>().Find(dataQuery);

foreach (BackendlessUser theUser in theUsers.Data)

{

loggedInUser = theUser; //finally got the user

}

//show details of user to user eg

lblUserName.Text = "Hello " + (String)loggedInUser.GetProperty("name")

//This works, EXCEPT mysteriously it showed the wrong user, not the user I had logged in as. It actually showed the name of the person who had just signed up as a new user somewhere else in the planet, but definitely not on my browser!. Help!!

} //end if logged in

Leave a Comment

Comments (4)

photo
1

Hi Mike,

Does this behavior of getting a wrong user happen every time?

Regards,

Mark

photo
1

Hi Mark

No it's only happened once. I can't replicate it again. But the fact that it did happen set alarm bells off and I just wanted to make sure that what I was doing was in fact correct or if my code was somehow wrong in design. I don't see how it could have happened, even if was once.

Mike

photo
1

When the user signs up or logs in I could store their currentUserID into a browser cookie or similar and then use that to retrieve their user information (if isValidLogin returns true).

However as you have an inbuilt way of returning the userID this seemed a neater solution and probably more secure and reliable?

Mike

photo
1

Our mechanish for 'staying logged in' merely stores the current user token after login, so that after you quit the app and come back again, we could retrieve that token from the device storage and verify if the token is still valid.

This may have also been the case when you logged in with wrong user - that user might have logged in on the device earlier with the 'stayLoggedIn' option set to true.

By the way, retrieving user object by ID is not the same thing as logging in, so having a wrong user's objectId is fine. All you'll be able to do is to retrieve its data and a hashed password, but you still won't be able to log in without the original password.