Solved

Same SessionID returned in 2 different machines

Posted on 2003-12-10
15
837 Views
Last Modified: 2012-06-21
Using VB.NET, IIS5, W2K Adv SP3 all patches, .net 1.0 SP2, VS.NET 2002
Using forms authentication, persistent cookie = false

I would gladly give all my points for an answer but max is 500 pts... Please help!

Recently my asp.net app is returning wrong data to users. Users frequently
get data that should only be seen by other user.

Upon authentication against database in the login page, I set auth cookie
and fill some session variables like userid, user role ... this info is
then read and used as criteria for database query.

In search for an answer I set a hidden field = session.sessionID.tostring
that gets filled every page_load and discovered that sometimes the
sessionID returned is exactly the same in two browsers running in two
different machines. Also noticed that when this happens to user B, user A
had been recently logged.

I Know that if users use the same machine/browser, sessionID is the same and lives for the browser instance lifetime. Also aware that two browsers instance share the same sessionID but this is not the question. Users are miles away from each other...

I thought I was changing session data somewhere in my app, thus the
described errors, but now I understand that as the browser gets a sessionID
that is already being used by another user in another machine my queries get the session
values of the other user and not the current user

I also noticed that sometimes the hidden field of user A of page1.aspx was
sessionID ex. xxxxaaaa... and when navigating to another page the sessionID
value was diferent but = to sessionID of user B

Also tested if on page_load, SessionID <> Hidden Field Value , redirect to
login page, and sometimes users are redirected meaning that the sessionID
is not the same...

More details on my config that might be relevant:
All pages have EnableSessionState=True
Have session_start and session_end counting number of users online in
global.asax
Have connection String defined as a constant in global.asax
Have Application_Error in global.asax sending e-mail whith Server.GetLastError
IIS has not expiration(no-cache) defined

Please Help, Looking for a resolution for some days, read dozens of
threads, my books, msdn ... no way... Losing users trust... :(

Thanks

B
0
Comment
Question by:jbarros
15 Comments
 
LVL 7

Expert Comment

by:Makr_Watson27
ID: 9911940
Stab in the dark but you try using other anti-caching headers:
Name:pragma
Value:no-cache

I have often found that the pragma header is the only effective way of stopping caching
0
 
LVL 4

Expert Comment

by:JNSTAUB
ID: 9912101
are you  or your clients using a proxy? it may be a proxy cache  problem, in this case add
the time as variable in your querystring to force  a cache miss
0
 

Author Comment

by:jbarros
ID: 9916914
Thanks for the reply,
How can a proxy be related to this problem? In fact my users are behind proxies. I do not use query string. Most of the user data I need is in the session variables...
Already using pragma and no-cache directives. IIS is set to expire content.

I just don't understand what is happening... If a new browser instance starts a new session, and that session is guaranteed to be unique, how can two browsers have the same value?

I think that each browser as a unique sessionID but iis sends a response to the wrong user and assigns a sessionID that belongs to another browser instance in another machine (as described in initial post).

B
0
 
LVL 7

Expert Comment

by:Makr_Watson27
ID: 9917048
ASP Session IDs are not unique...but should be in your situtation, unless you're in a load-balanced situation.
I know you've read a lot but please look at:
http://www.microsoft.com/technet/prodtechnol/iis/iis5/reskit/iis50rg/iischp6.asp?frame=true
There is a paragraph in there relating to non-unique session ids

Also do you set any session variables during your session_onstart
0
 
LVL 7

Expert Comment

by:Makr_Watson27
ID: 9917093
Sorry, having read and re-read your original posting (and some more) I will have to step out of this one as it is beyond me
I hope someone can come to your rescue
0
 

Author Comment

by:jbarros
ID: 9933820
In search for a solution, my data queries are now based on cookie values. Users are authenticated and user data is set up in the UserData portion of the authentication ticket.
So I am not setting any session values like user ID or User role anymore. I think this means that my problem (my BIG problem) is not session related.

Before I saw your post I had already deployed the cookie based solution. And the same problem ocurred. Users are viewing other users info. In the hidden field that gets the sessionID value the sessionID is the same. The problem seems to occur intermitently.

So I set output caching off, but not in all pages, that's true. Thought this was the solution but, although users complain less, it happened again. I think you are correct and that it is a cache / proxy related issue.

This is how I set outputcache off
But I do not now if I am doing it the good way, please advise:
I Read Microsoft's Caching Architecture Guide for .NET Framework Applications for guidance and so, in some of the pages, I set on 1st line of Page_Load (not checking IsPostBack):

Response.Cache.SetCacheability(HttpCachebility.NoCache)

Also on the aspx page I set:
<% Page Language="vb" .... %>
<%
Response.Expires = - 1
Response.Expiresabsolute = now()
Response.AddHeader ("pragma","no-cache")
Response.CacheControl = "no-cache"
%>
<HTML>
<HEAD>
<TITLE>....

I do have one user control on my default.aspx page with a <%OutputCache Duration = "84000" VaryByParam="None"%> but I thinks this is called fragment caching and does not influence how the page is or is not cached in browser/proxies.

Also set IIS virtual directory of this app HTTP HEADERS configured to Enable Content Expiration = Expire Immediatly.

Is this the correct way? I noticed that users browsers now return a message about content expiration. But should'nt the back button always return this message. I think it is also important to know that if users hit the F5 key they get the correct page. The problem seems to occur when number of users reach 15-30.

Thank You
B
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 7

Expert Comment

by:Makr_Watson27
ID: 9934737
Add a custom HTTP Header on the IIS Web Site

Name:pragma
Value:no-cache

and

Name:cachecontrol
Value:no-cache

Restart IIS and see if this solves your problem
0
 
LVL 7

Expert Comment

by:Makr_Watson27
ID: 9963563
How are you getting on with this?
Did the pragma on the web site/virtual directory work?
0
 

Author Comment

by:jbarros
ID: 9963673
Thank You Makr for your help!
Still no solution...
Set IIS 5 , virtual directory of my app HTTP Headers to Cache-control: no-cache and Pragma: no-cache. For two days no calls about this issue. But today... it happened again, same session.ID in hidden field in two machines miles away from each other and even using different proxies (ISA), User B gets user A data. I realy don't understand how this is possible. So many web apps out there... working.

Also set this, on Page_Load
CacheMode(CacheType.HeaderNoCache)

Public Sub CacheMode(ByVal RequestedCacheMode As CacheType)
Select Case CacheType
Case CacheType.HeaderNoCache
HttpContext.Current.Response.Cache.SetCacheability(HttpCacheability.NoCache)
HttpContext.Current.Response.Cache.SetRevalidation(HttpCacheRevalidation.AllCaches)
HttpContext.Current.Response.Cache.SetNoStore()
HttpContext.Current.Response.Cache.SetMaxAge(TimeSpan.Zero)
HttpContext.Current.Response.Cache.SetNoTransforms()
HttpContext.Current.Response.Cache.SetNoServerCaching()
Case CacheType.HeaderPrivateYesExpires
HttpContext.Current.Response.Cache.SetCacheability(HttpCacheability.Private)
HttpContext.Current.Response.Cache.SetRevalidation(HttpCacheRevalidation.AllCaches)
HttpContext.Current.Response.Cache.SetNoStore()
HttpContext.Current.Response.Cache.SetMaxAge(TimeSpan.Zero)
HttpContext.Current.Response.Cache.SetNoTransforms()
HttpContext.Current.Response.Cache.SetExpires(Now.AddDays(-2))
HttpContext.Current.Response.AddHeader("Pragma", "no-cache")
Case CacheType.HeaderPrivateNoExpires
HttpContext.Current.Response.Cache.SetCacheability(HttpCacheability.Private)
HttpContext.Current.Response.Cache.SetRevalidation(HttpCacheRevalidation.AllCaches)
HttpContext.Current.Response.Cache.SetNoStore()
HttpContext.Current.Response.Cache.SetNoTransforms()
HttpContext.Current.Response.AddHeader("Pragma", "no-cache")
End Select
End Sub

Public Enum CacheType As Integer
HeaderNoCache = 0
HeaderPrivateYesExpires = 1
HeaderPrivateNoExpires = 2
End Enum

Is this correct?
I think it might be important to know that when user B gest user A data, it seems to get the page as the first time load, that is with some listboxes filled with the default data for that user.
The user control I'm using does not have user related data. It just caches some pure html and is intended to show that same data to all users. But my problem occurs in other pages. This implementation is recent and the problem was already occurring.
Another thought: IIS is using compression (xcompress 2.1 for IIS). Could this be related?

Please help, I'm going crazy, really.
B
0
 
LVL 7

Expert Comment

by:Makr_Watson27
ID: 9963898
LIke you I am running out of ideas.
One thing you could try to resolve the proxy caching issue is to create a new virtual directory with all the anti-cache headers and point it to your existing app.
I think this issue has occured and will continue to occur as the clients are caching, hence the idea about switching the virtual directory.
What I am trying to say (But probably not clearly) is that you should try creating a new web site so that anything that was cached is not relevant anymore as its not the same site.

The F5 issue is the pointer here that it is a caching issue.  Have you tried using a cookie to force refresh at client side?
I know its a bad answer but the following script should reload the page once only

      function cookieGet(strName)
      {
        var strSearch = strName + "="
        var strReturn = "";
        if (document.cookie.length > 0)
              {
          lngOffset = document.cookie.indexOf(strSearch)
          if (lngOffset != -1) {
            lngOffset += strSearch.length
            lngEnd = document.cookie.indexOf(";", lngOffset);
                             
          if (lngEnd == -1)
               lngEnd = document.cookie.length;
               strReturn=unescape(document.cookie.substring(lngOffset, lngEnd))
           }
         }
        return strReturn;
      }

      if (cookieGet(window.location.href)=='')
            {
            window.location.reload;
            document.cookie = window.location.href + "=done"
            }

0
 
LVL 7

Expert Comment

by:Makr_Watson27
ID: 9963927
Sorry typo in the above cookie script
Change the reload line to

window.location.reload(true);
0
 
LVL 7

Expert Comment

by:Makr_Watson27
ID: 10191727
jbarros: Did you ever get this working?  If so what was the answer?
0
 

Accepted Solution

by:
PAQ_Man earned 0 total points
ID: 13430225
PAQed with points refunded (500)

PAQ_Man
Community Support Moderator
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

I recently decide that I needed a way to make my pages scream on the net.   While searching around how I can accomplish this I stumbled across a great article that stated "minimize the server requests." I got to thinking, hey, I use more than one…
I would like to start this tip/trick by saying Thank You, to all who said that this could not be done, as it forced me to make sure that it could be accomplished. :) To start, I want to make sure everyone understands the importance of utilizing p…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now