3

I'm seeing multiple users logging in to my .NET 3.5 web application and sharing the same session ID. This appears to be happening most often when users are on different computers on the same network, but it appears to be happening between users on different networks as well. My users are logging in within a minute of each other and getting the same session ID. Consequently, user B is seeing user A's data.

We are using multiple worker processes on the Server 2003 R2 box. Session AND viewstate are stored in SQL Server. Session is set up to use cookies, not URL, to store the ID.

This question is similar to these questions, but neither matches my scenario:

This one turned out to be a false report

This one used IIS7 <--It particularly looks like this one, but I'm on IIS 6, which does NOT use dynamic output caching, right?

Why is my application assigning the same session ID to different machines? How can I stop it from happening?

Edit: I am highly skeptical that session is the culprit, but I am being outweighed by my colleagues. It is more likely that there is a code problem, but I can't explain why the session IDs that we are logging are identical. Yes, there could be a problem with the logging code, but that wouldn't explain why user B is getting user A's stored session data.

Community
  • 1
  • 1
samiz
  • 1,043
  • 1
  • 13
  • 21
  • It's unlikely duplicate sessionID's are being used. You can easily verify this by displaying Session.SessionID. More likely, you are doing something incorrect in your code. – Steve Wellens Aug 25 '11 at 01:10
  • It's unlikely, but it appears to be true. We log every authentication in a table, and we include the SessionID. – samiz Aug 25 '11 at 01:11
  • Look at the browsers. Do the BROWSERS have the same SessionID which is simply a cookie. – Steve Wellens Aug 25 '11 at 01:13
  • That's a good question. If we could reproduce the problem in house, I'd be able to answer. Our only evidence at this point is the log and the reported problem. Any idea why it would be logging a session ID that is different from what the browser is using AND happen to show the wrong data to the user? – samiz Aug 25 '11 at 01:16
  • Steve is correct, Session.SessionID(s) are unique, browser sessions are unique. You have a bug in your code. – rick schott Aug 25 '11 at 02:41
  • Is it at all possible that an agressive proxy could cause the problem? This is a relatively rare problem in our application, so I'm looking for some reason why it would only show up in certain cases. – samiz Aug 25 '11 at 16:46
  • You could take a look at the answer I posted to another question: http://stackoverflow.com/a/40916666/1864395 – Sander_P Dec 05 '16 at 11:30
  • Possible duplicate of [Asp.net Sessions Getting Crossed / Mixed Up](http://stackoverflow.com/questions/5574388/asp-net-sessions-getting-crossed-mixed-up) – Sander_P Dec 15 '16 at 13:58

1 Answers1

1

Do you have any code that is static (shared in vb.net). This could cause the problem. Also, Session is not truly initialized until something is actually stored in session.

Peter Bromberg
  • 1,498
  • 8
  • 11
  • We do use static classes to pull data from Session, but the problem would be quite a bit more prevalent if this were the problem, I think. I could be wrong. Also, we store ViewState in Session. Would this initialize session? – samiz Aug 25 '11 at 16:45