1

I am facing an issue with one of the deployed applications where I am seeing same session ids being provided to different users. The main source of this analysis is the nlog file which outputs the session and identity.

The deployed environment is asp.net mvc 5.2, .NET 4.5, IIS 8.5

I am unable to reproduce the error on my local system with a simulated load of 200 users and also not able to figure out any pattern as to when the session-ids are getting re-used

I have tried to

Further to this I want to try couple of things -

  1. I will try to assign a dummy value on every successful login just to ensure that session is used
  2. Try to use in-memory session rather than using Redis Session State Provider
  3. Remove the dependency of session in the application and use cache

I am not sure if I am looking @ right direction in solving this issue. Any suggestions will be of great help.

Community
  • 1
  • 1
Sharath Chandra
  • 654
  • 8
  • 26
  • IIS / browser would never have duplicated ASP.Net session ids. Are you sure it is nothing to do with session hijacking someone tried? Is it happening for all users? try changing session id after users logs-in / logs-out so the chances of session hijacking is very low – techspider Apr 25 '16 at 18:22
  • session hijacking chances are very slim since its within the organizational firewall. No its not happening for all users, however I don't have any pattern yet. I will add changing the session id once user logs-in to my list of to-do things. On explicit logout, I abandon the session and invalidate the auth cookie. – Sharath Chandra Apr 25 '16 at 18:27
  • One of the patterns I am observing is - say user is assigned sessionid "vbi5fjbi35msncbsgmtsc5k5", now this is used for multiple requests The log has multiple lines like "vbi5fjbi35msncbsgmtsc5k5" | {testdomain\testuser1} .... "vbi5fjbi35msncbsgmtsc5k5" | {testdomain\testuser1} .... But in between I can see a different session id for same user "ppvfcuzingyxkd5cemh5nl4z" | {testdomain\testuser1} .... Then after couple of requests the sessionid is reverted back to old one – Sharath Chandra Apr 26 '16 at 09:15
  • I think I made some progress on this issue. I made 2 changes -- Added a Session_Start protected void Session_Start(Object sender, EventArgs e) { logger.Debug("Starting the session "); Session["init"] = DateTime.Now; } -- Moved the site to https I will contonue with testing tomorrow and check if the issue is fixed – Sharath Chandra Apr 26 '16 at 12:40
  • write logging a line of text "start session" and "end session" in both Session_start and session_end events; I hope the user is not running parallel instances of your site - for ex; one login on IE and another login on Chrome and using both in parallel... – techspider Apr 26 '16 at 13:54

0 Answers0