Same SessionID returned in 2 different machines

Posted on 2003-12-10
Last Modified: 2012-06-21
Using VB.NET, IIS5, W2K Adv SP3 all patches, .net 1.0 SP2, VS.NET 2002
Using forms authentication, persistent cookie = false

I would gladly give all my points for an answer but max is 500 pts... Please help!

Recently my app is returning wrong data to users. Users frequently
get data that should only be seen by other user.

Upon authentication against database in the login page, I set auth cookie
and fill some session variables like userid, user role ... this info is
then read and used as criteria for database query.

In search for an answer I set a hidden field = session.sessionID.tostring
that gets filled every page_load and discovered that sometimes the
sessionID returned is exactly the same in two browsers running in two
different machines. Also noticed that when this happens to user B, user A
had been recently logged.

I Know that if users use the same machine/browser, sessionID is the same and lives for the browser instance lifetime. Also aware that two browsers instance share the same sessionID but this is not the question. Users are miles away from each other...

I thought I was changing session data somewhere in my app, thus the
described errors, but now I understand that as the browser gets a sessionID
that is already being used by another user in another machine my queries get the session
values of the other user and not the current user

I also noticed that sometimes the hidden field of user A of page1.aspx was
sessionID ex. xxxxaaaa... and when navigating to another page the sessionID
value was diferent but = to sessionID of user B

Also tested if on page_load, SessionID <> Hidden Field Value , redirect to
login page, and sometimes users are redirected meaning that the sessionID
is not the same...

More details on my config that might be relevant:
All pages have EnableSessionState=True
Have session_start and session_end counting number of users online in
Have connection String defined as a constant in global.asax
Have Application_Error in global.asax sending e-mail whith Server.GetLastError
IIS has not expiration(no-cache) defined

Please Help, Looking for a resolution for some days, read dozens of
threads, my books, msdn ... no way... Losing users trust... :(


Question by:jbarros
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 9911940
Stab in the dark but you try using other anti-caching headers:

I have often found that the pragma header is the only effective way of stopping caching

Expert Comment

ID: 9912101
are you  or your clients using a proxy? it may be a proxy cache  problem, in this case add
the time as variable in your querystring to force  a cache miss

Author Comment

ID: 9916914
Thanks for the reply,
How can a proxy be related to this problem? In fact my users are behind proxies. I do not use query string. Most of the user data I need is in the session variables...
Already using pragma and no-cache directives. IIS is set to expire content.

I just don't understand what is happening... If a new browser instance starts a new session, and that session is guaranteed to be unique, how can two browsers have the same value?

I think that each browser as a unique sessionID but iis sends a response to the wrong user and assigns a sessionID that belongs to another browser instance in another machine (as described in initial post).

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Expert Comment

ID: 9917048
ASP Session IDs are not unique...but should be in your situtation, unless you're in a load-balanced situation.
I know you've read a lot but please look at:
There is a paragraph in there relating to non-unique session ids

Also do you set any session variables during your session_onstart

Expert Comment

ID: 9917093
Sorry, having read and re-read your original posting (and some more) I will have to step out of this one as it is beyond me
I hope someone can come to your rescue

Author Comment

ID: 9933820
In search for a solution, my data queries are now based on cookie values. Users are authenticated and user data is set up in the UserData portion of the authentication ticket.
So I am not setting any session values like user ID or User role anymore. I think this means that my problem (my BIG problem) is not session related.

Before I saw your post I had already deployed the cookie based solution. And the same problem ocurred. Users are viewing other users info. In the hidden field that gets the sessionID value the sessionID is the same. The problem seems to occur intermitently.

So I set output caching off, but not in all pages, that's true. Thought this was the solution but, although users complain less, it happened again. I think you are correct and that it is a cache / proxy related issue.

This is how I set outputcache off
But I do not now if I am doing it the good way, please advise:
I Read Microsoft's Caching Architecture Guide for .NET Framework Applications for guidance and so, in some of the pages, I set on 1st line of Page_Load (not checking IsPostBack):


Also on the aspx page I set:
<% Page Language="vb" .... %>
Response.Expires = - 1
Response.Expiresabsolute = now()
Response.AddHeader ("pragma","no-cache")
Response.CacheControl = "no-cache"

I do have one user control on my default.aspx page with a <%OutputCache Duration = "84000" VaryByParam="None"%> but I thinks this is called fragment caching and does not influence how the page is or is not cached in browser/proxies.

Also set IIS virtual directory of this app HTTP HEADERS configured to Enable Content Expiration = Expire Immediatly.

Is this the correct way? I noticed that users browsers now return a message about content expiration. But should'nt the back button always return this message. I think it is also important to know that if users hit the F5 key they get the correct page. The problem seems to occur when number of users reach 15-30.

Thank You

Expert Comment

ID: 9934737
Add a custom HTTP Header on the IIS Web Site




Restart IIS and see if this solves your problem

Expert Comment

ID: 9963563
How are you getting on with this?
Did the pragma on the web site/virtual directory work?

Author Comment

ID: 9963673
Thank You Makr for your help!
Still no solution...
Set IIS 5 , virtual directory of my app HTTP Headers to Cache-control: no-cache and Pragma: no-cache. For two days no calls about this issue. But today... it happened again, same session.ID in hidden field in two machines miles away from each other and even using different proxies (ISA), User B gets user A data. I realy don't understand how this is possible. So many web apps out there... working.

Also set this, on Page_Load

Public Sub CacheMode(ByVal RequestedCacheMode As CacheType)
Select Case CacheType
Case CacheType.HeaderNoCache
Case CacheType.HeaderPrivateYesExpires
HttpContext.Current.Response.AddHeader("Pragma", "no-cache")
Case CacheType.HeaderPrivateNoExpires
HttpContext.Current.Response.AddHeader("Pragma", "no-cache")
End Select
End Sub

Public Enum CacheType As Integer
HeaderNoCache = 0
HeaderPrivateYesExpires = 1
HeaderPrivateNoExpires = 2
End Enum

Is this correct?
I think it might be important to know that when user B gest user A data, it seems to get the page as the first time load, that is with some listboxes filled with the default data for that user.
The user control I'm using does not have user related data. It just caches some pure html and is intended to show that same data to all users. But my problem occurs in other pages. This implementation is recent and the problem was already occurring.
Another thought: IIS is using compression (xcompress 2.1 for IIS). Could this be related?

Please help, I'm going crazy, really.

Expert Comment

ID: 9963898
LIke you I am running out of ideas.
One thing you could try to resolve the proxy caching issue is to create a new virtual directory with all the anti-cache headers and point it to your existing app.
I think this issue has occured and will continue to occur as the clients are caching, hence the idea about switching the virtual directory.
What I am trying to say (But probably not clearly) is that you should try creating a new web site so that anything that was cached is not relevant anymore as its not the same site.

The F5 issue is the pointer here that it is a caching issue.  Have you tried using a cookie to force refresh at client side?
I know its a bad answer but the following script should reload the page once only

      function cookieGet(strName)
        var strSearch = strName + "="
        var strReturn = "";
        if (document.cookie.length > 0)
          lngOffset = document.cookie.indexOf(strSearch)
          if (lngOffset != -1) {
            lngOffset += strSearch.length
            lngEnd = document.cookie.indexOf(";", lngOffset);
          if (lngEnd == -1)
               lngEnd = document.cookie.length;
               strReturn=unescape(document.cookie.substring(lngOffset, lngEnd))
        return strReturn;

      if (cookieGet(window.location.href)=='')
            document.cookie = window.location.href + "=done"


Expert Comment

ID: 9963927
Sorry typo in the above cookie script
Change the reload line to


Expert Comment

ID: 10191727
jbarros: Did you ever get this working?  If so what was the answer?

Accepted Solution

PAQ_Man earned 0 total points
ID: 13430225
PAQed with points refunded (500)

Community Support Moderator

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
RegEx Help - open to other simple suggestions 8 63
Select case on click 3 26
edit .asp files 5 48
ASP Classic, check if Querystring is UCase or LCase 8 28
I would like to start this tip/trick by saying Thank You, to all who said that this could not be done, as it forced me to make sure that it could be accomplished. :) To start, I want to make sure everyone understands the importance of utilizing p…
I was asked about the differences between classic ASP and ASP.NET, so let me put them down here, for reference: Let's make the introductions... Classic ASP was launched by Microsoft in 1998 and dynamically generate web pages upon user interact…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question