7

My site allows anonymous users. I saw that under heavy load anonymous users get sometimes profile values from other users.

I first delete my cookies and get a valid unique value in the cookie value .ASPXANONYMOUS. After a couple of requests I get a new value for .ASPXANONYMOUS which is already used by another user. I see in my loggs that there are always a couple of users who share the same value in .ASPXANONYMOUS.

I can see in the my logs that 2 or more users realy get the same cookievalue for .ASPXANONYMOUS even if they have different IP.

Here is the htttp traffic. In the second image the changing cookie is shown (You have to display the image full size do be able to read the log):

One of the many requests that work ok:

alt text http://img413.imageshack.us/img413/2711/log1.gif

Then there is this one request that changes the cookie alt text http://img704.imageshack.us/img704/8175/log2.gif

Then the new cookie is used

alt text http://img704.imageshack.us/img704/3818/log3.gif

Just to be safe I removed dependency injection. I dont use OutputCaching.

My web.config has this setting for authentication:

 <anonymousIdentification enabled="true" cookieless="UseCookies" cookieName=".ASPXANONYMOUS" 
      cookieTimeout="30" cookiePath="/" cookieRequireSSL="false" cookieSlidingExpiration="true" />

  <authentication mode="Forms">
        <forms loginUrl="~/de/Account/Login" />
    </authentication>

Does anybody have an idea what else I could log or what I should have a look at?

UPDATE

I saw now that the http-traffic I showed is perfectly valid. A changing value in .ASPXANONYMOUS is something that happens because the cookie gets refreshed. The value contains AnonymousID and a Timestamp.

This does not lead to users having the same value in .ASPXANONYMOUS under normal conditions.

The problem realy is, that whenever the cokies get set from the AnonymousIdentificationModule, then there is a chance that a couple of user get this cookie. Setting a cookie in my application doesnt have this strange sideefect.

Mathias F
  • 15,906
  • 22
  • 89
  • 159
  • So, if a particular request is borking your cookies, perhaps some relevant source from that request would help track down the problem? – Sky Sanders Mar 21 '10 at 17:55
  • 1
    I am not yet shure if the problem is realy one particular request. I have the impression that a couple of controller instances use the same HttpContext at some point. I was not yet able to reproduce the error in stage and development, even if I put a lot of traffic on it, thats why I can give so little detail here. – Mathias F Mar 21 '10 at 18:38
  • No, its still an unsolved issue for my application. Right now I dont use the AnonymousIdentificationModule and created my own implementation of it. I basically set a cookie value to a Guid. It works well so far, but not knowing what went wrong just feels bad... – Mathias F Apr 30 '10 at 07:55

2 Answers2

3

I had the same problem and solution was to turn off output caching for the responses where you call SetCookie. Below are several links describing this

Community
  • 1
  • 1
John Smith
  • 103
  • 9
  • The first link is very interesting. I dont have output caching enabled but I still think I can use some of the hints in the article. – Mathias F Sep 24 '11 at 22:21
1

Are you declaring any static variables in your code at all? I had this similar issue, and narrowed it down to that; at least for my situation.

TheGeekYouNeed
  • 7,509
  • 2
  • 26
  • 43
  • Sounds interesting! Right now I dont see how this could apply to my code. I only have private static readonly ILog _log = LogManager.GetLogger(typeof(HomeController)); And I dont log in the one action I touch right now. But that is a good lead anyway! – Mathias F Mar 18 '10 at 08:27
  • Have you looked at this other question here http://stackoverflow.com/questions/513782?tab=oldest#tab-top Maybe something in here can help? – TheGeekYouNeed Mar 23 '10 at 17:04