0

In my Global.asax file, I am setting a session value:

Sub Begin(ByVal sender As Object, ByVal e As EventArgs) Handles Me.AcquireRequestState
   ...
   Session("ID") = UserID
   ...
End Sub

And then, in a class file, I reference the session and set a class variable:

Class User
    Const userID As Integer = HttpContext.Current.Session("ID")
End Class

When someone logs in, the Global file does a process to get the user ID and sets it in the session. This value is then available throughout the app via the class file.

The problem I am having is that, when the first person signs in, say user "1", the Session("UserID") and HttpContext.Current.Session("UserID") are the same. However, when someone else on a competely different computer signs in, say user "2", the Session("UserID") is 2, but the HttpContext.Current.Session("UserID") is 1.

Does anyone know why this happens?

EDIT: I have additional information about this now. So the real thing that is happening here doesn't have anything to do with the session values being different. In fact, the session values are all the same, as they should be. What is actually happening is that I am setting the class fields to that of the session values when the class is constructed, but I guess I'm not updating them. I thought that using an auto-property, it would update the value. Apparently that isn't the case. What I had to do was this:

Public Shared ReadOnly Property ID As Boolean
    Get
        Return HttpContext.Current.Session("ID")
    End Get
End Property

This allowed the class property to update whenever it is referenced and allowed me to set it as read-only, since there is no SET method.

While this solved my actual problem, it left a question unanswered: Why would a class property, that is set upon construction by one user, be accessible by another user who is one a completely different work station and has a completely different session? I understand that this is all server-side code and both users are accessing the same code. It seems that when the app is first accessed, it is compiled in some way, and the class properties/fields are set and are, for some reason, available to anyone else accessing the app. Is this correct? Isn't this a security risk?

brasco18
  • 63
  • 5
  • why don't you pass session variable into User class ? – Serg Shevchenko Aug 10 '21 at 18:14
  • 1
    That is an interesting idea. I may explore that. However, that doesn't answer my question as to why the 'httpcontext.current.session' contains values from a completely different session. – brasco18 Aug 11 '21 at 16:48
  • I know , and also your question is duplicate this one. https://stackoverflow.com/questions/940742/difference-between-session-and-httpcontext-current-session/6021261 – Serg Shevchenko Aug 11 '21 at 18:16
  • No, it's not a duplicate. I had actually found that question and reviewed it, but it didn't answer my question, which is why I posted my question. That question is asking what the difference is. My question is asking why HttpApplication.Session and HttpContext.Current.Session would contain different values. The question you just referenced essentially states that the values should be the same. They are not for me. Not only are they not the same for me, one seems to be referencing session values that should not be a part of the session at all. – brasco18 Aug 12 '21 at 16:50

0 Answers0