Reputation: 82483
ASP.NET Session Mix-up using StateServer (SCARY!)
We store two objects in session. Somehow, one of the objects from another user got loaded into a different user's session. The user should have had no access to this particular data, and as soon as they saw it they knew something was very wrong.
We have visual proof of the data that was presented to him, and there is certainly no way it could've happened unless the sessions got mixed up. This is a very scary situation which we can not figure out (we can not reproduce it). The only answer for us is to blame ASP.NET StateServer for mixing the session variables up, which is completely unacceptable and puts us in a bad position.
Our applications are ASP.NET 2.0 apps running on Windows Server 2003 with IIS6, using the StateServer cookieless="false" session mode and FormsAuthentication.
Has anybody else had this problem? How can we resolve it?
Upvotes: 18
Views: 10694
Answers (6)
Reputation: 1256
We ran into this exact issue in my previous company and took 3 weeks to debug it. ASP.NET was giving a user someone else's session state. It was really impossible to duplicate in a debug environment.
The fix when we found it was just something in web.config. I don't fully remember it, so I spent some time googling. I believe the issue had something to do with output caching. Take a look at this article under "Sessions and Output Caching".
http://download.microsoft.com/download/3/a/7/3a7fa450-1f33-41f7-9e6d-3aa95b5a6aea/MSDNMagazineJuly2006en-us.chm (the article is titled Keep Sites Running Smoothly By Avoiding These 10 Common ASP.NET Pitfalls by Jeff Prosise in July 2006 edition of MSDN magazine)
If that sounds like your scenario, then the fix might just be disabling the enableKernelOutputCache option in web.config.
Good luck.
Upvotes: 15
Reputation: 73564
Possible answer - similar isue reported using cookieless session state.
session showing something wrong
Edit - Added
Another possible answer:
Upvotes: 3
Reputation: 3034
Had this problem, turned out to be an OutputCache attribute on a partial view.
Upvotes: 0
Reputation: 6157
Could the two crossed users both be using the same cacheing proxy? If so, then one user might see data that was cached for another user if the URLs matched, especially if the proxy isn't well behaved.
Wasn't this the main problem with the Google Web Accelerator project (now discontinued)?
Upvotes: 0
Reputation: 307
How many times did it occur? Did you check for users using browser back or sending links to each other with session ids?
One way to check for sure about State Server bug is to switch to another session manager, fallback to in-proc if you can or use SQL Server but would be better to find a way to reproduce the bug it first so you could test it.
Upvotes: 0
Reputation: 124706
Look for bugs in your own code first - this is by far the most likely explanation. E.g. using static fields or other shared memory such as the ASP.NET cache for user-specific data.
Upvotes: 6
Related Questions
- ASP.NET State Server security
- Unable to make the session state request to the session state server?
- IIS 7.5 Server Farm with State Server not sharing sessions
- Problems with ASP.Net State Service
- ASP.NET session stateid issue
- Why am I losing sessions when running in StateServer mode?
- Issues related to Session state off
- asp.net application iis7 sessionstate is crossing over multiple users in different locations
- ASP.Net Session State Issue
- Debugging ASP.NET Session State server issues