1

I hope someone out there has some update to date information on sessions and their IDs.

I'm running on IIS 7 and we're seeing Sessions assigned to more than 1 IP address.

I ruled out the possibility of it being caused by users resetting their IP addresses, for instance by unplugging their modems.

In at least one instance a user logged in and found data from a different user in had been saved to his account (the user IDs that determine in which account the data is stored are kept in session variables). In another instance an employee logged in to check a problem as was given the session of a different user.

It's not just the session variables, but I saw in our log the session ID itself is being associated with two different IP addresses. At one point this was happening with over 10% of our users.

I'm wondering if the problem is not in our system, because I'm seeing that in each case the IPs sharing a session ID are on the same ISP or share at least one NameServer.

I very much welcome any ideas, we're getting desperate!

Hanan Schwartzberg
  • 51
  • 4
  • alright, sounds weird. but to resolve your issue, we first need to know what your environment looks like: programming language ( iis can run a lot of stuff ), any caching/balancing instances? – moritz Feb 07 '10 at 04:35
  • fair point, I'm using .NET 3.5, specificly C#. We have no caching/balancing in place on our end, but I have considered it as a possibility on the user/ISP end. Is this an issue you've ever seen in any of the .NET environments? – Hanan Schwartzberg Feb 07 '10 at 13:07

1 Answers1

4

It's a caching issue with IIS7. Read more here: http://lionsden.co.il/codeden/?p=446

Hanan Schwartzberg
  • 51
  • 4