IMPORTANT: Freeze user name in connection string when using integrated security

Brian Crowell · Brian Crowell · commit 2eb7f5570141 · 2014-02-21T16:07:30.000-06:00
When connection pooling is turned on, connections are cached by connection
string. But when integrated security is turned on, the user's identity
isn't part of the connection string, so two users can get each other's
connections back from the connection pool.

This patch forces the username to appear in the connection string if
integrated security is on, before any pooling takes place.
diff --git a/Npgsql/Npgsql/NpgsqlConnection.cs b/Npgsql/Npgsql/NpgsqlConnection.cs
@@ -1058,15 +1058,14 @@ private void LogConnectionString()
         /// <param name="connectionString">The connection string to load the builder from</param>
         private void LoadConnectionStringBuilder(string connectionString)
         {
-            settings = cache[connectionString];
-            if (settings == null)
+            NpgsqlConnectionStringBuilder newSettings = cache[connectionString];
+            if (newSettings == null)
             {
-                settings = new NpgsqlConnectionStringBuilder(connectionString);
-                cache[connectionString] = settings;
+                newSettings = new NpgsqlConnectionStringBuilder(connectionString);
+                cache[connectionString] = newSettings;
             }
 
-            RefreshConnectionString();
-            LogConnectionString();
+            LoadConnectionStringBuilder(newSettings);
         }
 
         /// <summary>
@@ -1075,7 +1074,13 @@ private void LoadConnectionStringBuilder(string connectionString)
         /// <param name="connectionString">The connection string to load the builder from</param>
         private void LoadConnectionStringBuilder(NpgsqlConnectionStringBuilder connectionString)
         {
-            settings = connectionString;
+            // Clone the settings, because if Integrated Security is enabled, user ID can be different
+            settings = connectionString.Clone();
+
+            // Set the UserName explicitly to freeze any Integrated Security-determined names
+            if (settings.IntegratedSecurity)
+               settings.UserName = settings.UserName;
+
             RefreshConnectionString();
             LogConnectionString();
         }

Original file line number	Diff line number	Diff line change
`@@ -1058,15 +1058,14 @@ private void LogConnectionString()`
`1058`	`1058`	`/// <param name="connectionString">The connection string to load the builder from</param>`
`1059`	`1059`	`private void LoadConnectionStringBuilder(string connectionString)`
`1060`	`1060`	`{`
`1061`		`- settings = cache[connectionString];`
`1062`		`- if (settings == null)`
	`1061`	`+ NpgsqlConnectionStringBuilder newSettings = cache[connectionString];`
	`1062`	`+ if (newSettings == null)`
`1063`	`1063`	`{`
`1064`		`- settings = new NpgsqlConnectionStringBuilder(connectionString);`
`1065`		`- cache[connectionString] = settings;`
	`1064`	`+ newSettings = new NpgsqlConnectionStringBuilder(connectionString);`
	`1065`	`+ cache[connectionString] = newSettings;`
`1066`	`1066`	`}`
`1067`	`1067`
`1068`		`- RefreshConnectionString();`
`1069`		`- LogConnectionString();`
	`1068`	`+ LoadConnectionStringBuilder(newSettings);`
`1070`	`1069`	`}`
`1071`	`1070`
`1072`	`1071`	`/// <summary>`
`@@ -1075,7 +1074,13 @@ private void LoadConnectionStringBuilder(string connectionString)`
`1075`	`1074`	`/// <param name="connectionString">The connection string to load the builder from</param>`
`1076`	`1075`	`private void LoadConnectionStringBuilder(NpgsqlConnectionStringBuilder connectionString)`
`1077`	`1076`	`{`
`1078`		`- settings = connectionString;`
	`1077`	`+ // Clone the settings, because if Integrated Security is enabled, user ID can be different`
	`1078`	`+ settings = connectionString.Clone();`
	`1079`	`+`
	`1080`	`+ // Set the UserName explicitly to freeze any Integrated Security-determined names`
	`1081`	`+ if (settings.IntegratedSecurity)`
	`1082`	`+ settings.UserName = settings.UserName;`
	`1083`	`+`
`1079`	`1084`	`RefreshConnectionString();`
`1080`	`1085`	`LogConnectionString();`
`1081`	`1086`	`}`