0

i have a load balancing application, and we have an issue where a user try to log in, he/she will then see some else's name.

during the logout process we only call "Session.Abandon();". The article in http://support.microsoft.com/kb/899918 states the following:

When you abandon a session, the session ID cookie is not removed from the browser of the user. Therefore, as soon as the session has been abandoned, any new requests to the same application will use the same session ID but will have a new session state instance. At the same time, if the user opens another application within the same DNS domain, the user will not lose their session state after the Abandon method is called from one application.

does anyone have a clue of why the user sees some else's name while loging in?

Edited - code:

public class CacheManager
{
public Contact.Contact User
{
    get { return HttpContext.Current.Session["Contact"] as Contact.Contact; }
    set { HttpContext.Current.Session["Contact"] = value; }
}
}

header.ascx.cs

/// <summary>
/// This is the session manager
/// </summary>
public readonly CacheManager Localcache = new CacheManager();


public Login()
{
     var contact = BAL.Contact.Get(this.UserName, this.Password);
     Localcache.User = contact;
     Response.Redirect(Request.Url.AbsoluteUri);
}

protected void Logout_Click(object sender, ImageClickEventArgs e)
{
        Session.Abandon();
        Response.Redirect(Constants.HomePage);
}


header.ascx:

You are logged in as
<br />
<span class="user_desc">
<%= string.Format("{0} {1}",LocalCache.User.FirstName ,LocalCache.User.LastName)%></span>
user384080
  • 4,576
  • 15
  • 64
  • 96
  • Are you using InProc Session State mode? I think InProc does not work well with webfarm/network load balancing. Check this question http://stackoverflow.com/questions/7084729/load-balancing-in-asp-net-what-i-should-consider-while-development – pinoy_ISF Jul 08 '13 at 11:46
  • in-proc session state – user384080 Jul 09 '13 at 00:20

1 Answers1

1

when a user explicitly logs out and a new user accesses the page (assuming the browser wasn't closed), the browser still maintains the sessionId (even with Session.Clear() and Session.Abandon()).

Try to add these lines of code

Session.Abandon();
Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));

Link to check

Rahul
  • 5,603
  • 6
  • 34
  • 57
  • if it maintains the sessionID after logging out, then the next login on the same browser will always return the same user, am i correct? – user384080 Jul 08 '13 at 07:39
  • yes it if maintains `sessionId` then next login on same browser will return same user. – Rahul Jul 08 '13 at 07:41
  • but the problem is the user sees some else's name, meaning he logs in with his account but another account is being returned by the application.. i really don't understand how this could happen!? – user384080 Jul 08 '13 at 07:45
  • show me your code that where you assign value to session,if you are assigning it before use then it will work fine,,show me your code. – Rahul Jul 08 '13 at 07:47