Same SessionID returned in 2 different machines
Posted on 2003-12-10
Using VB.NET, IIS5, W2K Adv SP3 all patches, .net 1.0 SP2, VS.NET 2002
Using forms authentication, persistent cookie = false
I would gladly give all my points for an answer but max is 500 pts... Please help!
Recently my asp.net app is returning wrong data to users. Users frequently
get data that should only be seen by other user.
Upon authentication against database in the login page, I set auth cookie
and fill some session variables like userid, user role ... this info is
then read and used as criteria for database query.
In search for an answer I set a hidden field = session.sessionID.tostring
that gets filled every page_load and discovered that sometimes the
sessionID returned is exactly the same in two browsers running in two
different machines. Also noticed that when this happens to user B, user A
had been recently logged.
I Know that if users use the same machine/browser, sessionID is the same and lives for the browser instance lifetime. Also aware that two browsers instance share the same sessionID but this is not the question. Users are miles away from each other...
I thought I was changing session data somewhere in my app, thus the
described errors, but now I understand that as the browser gets a sessionID
that is already being used by another user in another machine my queries get the session
values of the other user and not the current user
I also noticed that sometimes the hidden field of user A of page1.aspx was
sessionID ex. xxxxaaaa... and when navigating to another page the sessionID
value was diferent but = to sessionID of user B
Also tested if on page_load, SessionID <> Hidden Field Value , redirect to
login page, and sometimes users are redirected meaning that the sessionID
is not the same...
More details on my config that might be relevant:
All pages have EnableSessionState=True
Have session_start and session_end counting number of users online in
Have connection String defined as a constant in global.asax
Have Application_Error in global.asax sending e-mail whith Server.GetLastError
IIS has not expiration(no-cache) defined
Please Help, Looking for a resolution for some days, read dozens of
threads, my books, msdn ... no way... Losing users trust... :(