ASP.NET session randomly reused when using iframe

Question

I have a scenario like this:

An ASP.NET form WebForm1.aspx, which contains an iFrame to WebForm2.aspx, and code to trace the current SessionId. An ASP.NET form WebForm2.aspx, which contains code to trace the current SessionId.

As someone here suggested, I do this in each page load, and in Global.asax (Session_Start):

Session["dummy"] = "dummy";

The web.config is configured like this:

For testing purposes I created two Windows Forms applications, which do the following:

1) Call the WebForm1.aspx from one single WebBrowser control 10 times.

2) Call the WebForm1.aspx from 10 different WebBrowser controls, each a single time.

The results are:

1) Always the same SessionId in WebForm1 as well as in WebForm2.

2) Multiple SessionIds are generated:

Form1: ixbahucx3wmii452xlgserk5
Form1: wqh5dwsyovnnwclkfvanlj30
Form1: vddeexb1bfmo4uqw5qjdjol4
Form1: bavcxrgtaz5hvzswlabnuefy
Form1: v2rhzfjwoptmhfpbm2qzzfgh
Form1: pjtiez5dmxldfoojmflsbf1u
Form1: znf0qq41bmsccbjqcdpulefp
Form1: bml5vvj13c22yj0agfua5gyk
Form1: lzdufc3y55tqci0gtfgmpq33
Form1: nch1bocb0obw3tfi0rnz4fa4
Form2: v2rhzfjwoptmhfpbm2qzzfgh
Form2: v2rhzfjwoptmhfpbm2qzzfgh
Form2: znf0qq41bmsccbjqcdpulefp
Form2: znf0qq41bmsccbjqcdpulefp
Form2: lzdufc3y55tqci0gtfgmpq33
Form2: lzdufc3y55tqci0gtfgmpq33
Form2: nch1bocb0obw3tfi0rnz4fa4
Form2: nch1bocb0obw3tfi0rnz4fa4
Form2: nch1bocb0obw3tfi0rnz4fa4
Form2: v2rhzfjwoptmhfpbm2qzzfgh

What is the reason, that some SessionIds in WebForm1 do not have a corresponding one in WebForm2?

Answer 1

ASP.NET uses cookies to keep SessionId.

When request already contains ASP.NET_SessionId cookie, ASP.NET uses Session ID value from cookie to restore (OR to create, in case of time out) Session object on server side.

When request doesn't contain ASP.NET_SessionId cookie, ASP.Net creates new Session object, generates new Session ID for it, and sends Set-Cookie header with Session ID value with response.

So basically if browser already has cookie values set, or has processed Set-Cookie header from previous response, it will use it to send next request, and 'old' session will be reused; otherwise new session will be created.

Case 1 shows this pretty good.

Case 2 is more complex, but looks like you start all 10 requests simultaneously, and browser controls shares the same cookie storage.

First ten requests generates ten completely different sessions, as they don't have cookies set:

(1) Form1: ixbahucx3wmii452xlgserk5
(2) Form1: wqh5dwsyovnnwclkfvanlj30
(3) Form1: vddeexb1bfmo4uqw5qjdjol4
(4) Form1: bavcxrgtaz5hvzswlabnuefy
(5) Form1: v2rhzfjwoptmhfpbm2qzzfgh
(6) Form1: pjtiez5dmxldfoojmflsbf1u
(7) Form1: znf0qq41bmsccbjqcdpulefp
(8) Form1: bml5vvj13c22yj0agfua5gyk
(9) Form1: lzdufc3y55tqci0gtfgmpq33
(10) Form1: nch1bocb0obw3tfi0rnz4fa4

Next, requests one by one started to respond by server, and each will contain Set-Cookie header (as all requests didn't have SessionID cookie). Each new of these Set-Cookie will overwrite previous one, and browsers will request Form2 from iframe with newly set sessionId. One by one below:

received response from (5), sent 2 requests before next response:

(11) Form2: v2rhzfjwoptmhfpbm2qzzfgh
(12) Form2: v2rhzfjwoptmhfpbm2qzzfgh

received response from (7), sent 2 requests before next response:

(13) Form2: znf0qq41bmsccbjqcdpulefp
(14) Form2: znf0qq41bmsccbjqcdpulefp

received response from (9), sent 2 requests before next response:

(15) Form2: lzdufc3y55tqci0gtfgmpq33
(16) Form2: lzdufc3y55tqci0gtfgmpq33

received response from (10), sent 3 requests before next response:

(17) Form2: nch1bocb0obw3tfi0rnz4fa4
(18) Form2: nch1bocb0obw3tfi0rnz4fa4
(19) Form2: nch1bocb0obw3tfi0rnz4fa4

this request sent after response to (5), but response received just now:

(20) Form2: v2rhzfjwoptmhfpbm2qzzfgh