Same SessionID returned in 2 different machines

Using VB.NET, IIS5, W2K Adv SP3 all patches, .net 1.0 SP2, VS.NET 2002
Using forms authentication, persistent cookie = false

I would gladly give all my points for an answer but max is 500 pts... Please help!

Recently my asp.net app is returning wrong data to users. Users frequently
get data that should only be seen by other user.

Upon authentication against database in the login page, I set auth cookie
and fill some session variables like userid, user role ... this info is
then read and used as criteria for database query.

In search for an answer I set a hidden field = session.sessionID.tostring
that gets filled every page_load and discovered that sometimes the
sessionID returned is exactly the same in two browsers running in two
different machines. Also noticed that when this happens to user B, user A
had been recently logged.

I Know that if users use the same machine/browser, sessionID is the same and lives for the browser instance lifetime. Also aware that two browsers instance share the same sessionID but this is not the question. Users are miles away from each other...

I thought I was changing session data somewhere in my app, thus the
described errors, but now I understand that as the browser gets a sessionID
that is already being used by another user in another machine my queries get the session
values of the other user and not the current user

I also noticed that sometimes the hidden field of user A of page1.aspx was
sessionID ex. xxxxaaaa... and when navigating to another page the sessionID
value was diferent but = to sessionID of user B

Also tested if on page_load, SessionID <> Hidden Field Value , redirect to
login page, and sometimes users are redirected meaning that the sessionID
is not the same...

More details on my config that might be relevant:
All pages have EnableSessionState=True
Have session_start and session_end counting number of users online in
global.asax
Have connection String defined as a constant in global.asax
Have Application_Error in global.asax sending e-mail whith Server.GetLastError
IIS has not expiration(no-cache) defined

Please Help, Looking for a resolution for some days, read dozens of
threads, my books, msdn ... no way... Losing users trust... :(

Thanks

B
jbarrosAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Makr_Watson27Commented:
Stab in the dark but you try using other anti-caching headers:
Name:pragma
Value:no-cache

I have often found that the pragma header is the only effective way of stopping caching
0
JNSTAUBCommented:
are you  or your clients using a proxy? it may be a proxy cache  problem, in this case add
the time as variable in your querystring to force  a cache miss
0
jbarrosAuthor Commented:
Thanks for the reply,
How can a proxy be related to this problem? In fact my users are behind proxies. I do not use query string. Most of the user data I need is in the session variables...
Already using pragma and no-cache directives. IIS is set to expire content.

I just don't understand what is happening... If a new browser instance starts a new session, and that session is guaranteed to be unique, how can two browsers have the same value?

I think that each browser as a unique sessionID but iis sends a response to the wrong user and assigns a sessionID that belongs to another browser instance in another machine (as described in initial post).

B
0
Cloud Class® Course: Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

Makr_Watson27Commented:
ASP Session IDs are not unique...but should be in your situtation, unless you're in a load-balanced situation.
I know you've read a lot but please look at:
http://www.microsoft.com/technet/prodtechnol/iis/iis5/reskit/iis50rg/iischp6.asp?frame=true
There is a paragraph in there relating to non-unique session ids

Also do you set any session variables during your session_onstart
0
Makr_Watson27Commented:
Sorry, having read and re-read your original posting (and some more) I will have to step out of this one as it is beyond me
I hope someone can come to your rescue
0
jbarrosAuthor Commented:
In search for a solution, my data queries are now based on cookie values. Users are authenticated and user data is set up in the UserData portion of the authentication ticket.
So I am not setting any session values like user ID or User role anymore. I think this means that my problem (my BIG problem) is not session related.

Before I saw your post I had already deployed the cookie based solution. And the same problem ocurred. Users are viewing other users info. In the hidden field that gets the sessionID value the sessionID is the same. The problem seems to occur intermitently.

So I set output caching off, but not in all pages, that's true. Thought this was the solution but, although users complain less, it happened again. I think you are correct and that it is a cache / proxy related issue.

This is how I set outputcache off
But I do not now if I am doing it the good way, please advise:
I Read Microsoft's Caching Architecture Guide for .NET Framework Applications for guidance and so, in some of the pages, I set on 1st line of Page_Load (not checking IsPostBack):

Response.Cache.SetCacheability(HttpCachebility.NoCache)

Also on the aspx page I set:
<% Page Language="vb" .... %>
<%
Response.Expires = - 1
Response.Expiresabsolute = now()
Response.AddHeader ("pragma","no-cache")
Response.CacheControl = "no-cache"
%>
<HTML>
<HEAD>
<TITLE>....

I do have one user control on my default.aspx page with a <%OutputCache Duration = "84000" VaryByParam="None"%> but I thinks this is called fragment caching and does not influence how the page is or is not cached in browser/proxies.

Also set IIS virtual directory of this app HTTP HEADERS configured to Enable Content Expiration = Expire Immediatly.

Is this the correct way? I noticed that users browsers now return a message about content expiration. But should'nt the back button always return this message. I think it is also important to know that if users hit the F5 key they get the correct page. The problem seems to occur when number of users reach 15-30.

Thank You
B
0
Makr_Watson27Commented:
Add a custom HTTP Header on the IIS Web Site

Name:pragma
Value:no-cache

and

Name:cachecontrol
Value:no-cache

Restart IIS and see if this solves your problem
0
Makr_Watson27Commented:
How are you getting on with this?
Did the pragma on the web site/virtual directory work?
0
jbarrosAuthor Commented:
Thank You Makr for your help!
Still no solution...
Set IIS 5 , virtual directory of my app HTTP Headers to Cache-control: no-cache and Pragma: no-cache. For two days no calls about this issue. But today... it happened again, same session.ID in hidden field in two machines miles away from each other and even using different proxies (ISA), User B gets user A data. I realy don't understand how this is possible. So many web apps out there... working.

Also set this, on Page_Load
CacheMode(CacheType.HeaderNoCache)

Public Sub CacheMode(ByVal RequestedCacheMode As CacheType)
Select Case CacheType
Case CacheType.HeaderNoCache
HttpContext.Current.Response.Cache.SetCacheability(HttpCacheability.NoCache)
HttpContext.Current.Response.Cache.SetRevalidation(HttpCacheRevalidation.AllCaches)
HttpContext.Current.Response.Cache.SetNoStore()
HttpContext.Current.Response.Cache.SetMaxAge(TimeSpan.Zero)
HttpContext.Current.Response.Cache.SetNoTransforms()
HttpContext.Current.Response.Cache.SetNoServerCaching()
Case CacheType.HeaderPrivateYesExpires
HttpContext.Current.Response.Cache.SetCacheability(HttpCacheability.Private)
HttpContext.Current.Response.Cache.SetRevalidation(HttpCacheRevalidation.AllCaches)
HttpContext.Current.Response.Cache.SetNoStore()
HttpContext.Current.Response.Cache.SetMaxAge(TimeSpan.Zero)
HttpContext.Current.Response.Cache.SetNoTransforms()
HttpContext.Current.Response.Cache.SetExpires(Now.AddDays(-2))
HttpContext.Current.Response.AddHeader("Pragma", "no-cache")
Case CacheType.HeaderPrivateNoExpires
HttpContext.Current.Response.Cache.SetCacheability(HttpCacheability.Private)
HttpContext.Current.Response.Cache.SetRevalidation(HttpCacheRevalidation.AllCaches)
HttpContext.Current.Response.Cache.SetNoStore()
HttpContext.Current.Response.Cache.SetNoTransforms()
HttpContext.Current.Response.AddHeader("Pragma", "no-cache")
End Select
End Sub

Public Enum CacheType As Integer
HeaderNoCache = 0
HeaderPrivateYesExpires = 1
HeaderPrivateNoExpires = 2
End Enum

Is this correct?
I think it might be important to know that when user B gest user A data, it seems to get the page as the first time load, that is with some listboxes filled with the default data for that user.
The user control I'm using does not have user related data. It just caches some pure html and is intended to show that same data to all users. But my problem occurs in other pages. This implementation is recent and the problem was already occurring.
Another thought: IIS is using compression (xcompress 2.1 for IIS). Could this be related?

Please help, I'm going crazy, really.
B
0
Makr_Watson27Commented:
LIke you I am running out of ideas.
One thing you could try to resolve the proxy caching issue is to create a new virtual directory with all the anti-cache headers and point it to your existing app.
I think this issue has occured and will continue to occur as the clients are caching, hence the idea about switching the virtual directory.
What I am trying to say (But probably not clearly) is that you should try creating a new web site so that anything that was cached is not relevant anymore as its not the same site.

The F5 issue is the pointer here that it is a caching issue.  Have you tried using a cookie to force refresh at client side?
I know its a bad answer but the following script should reload the page once only

      function cookieGet(strName)
      {
        var strSearch = strName + "="
        var strReturn = "";
        if (document.cookie.length > 0)
              {
          lngOffset = document.cookie.indexOf(strSearch)
          if (lngOffset != -1) {
            lngOffset += strSearch.length
            lngEnd = document.cookie.indexOf(";", lngOffset);
                             
          if (lngEnd == -1)
               lngEnd = document.cookie.length;
               strReturn=unescape(document.cookie.substring(lngOffset, lngEnd))
           }
         }
        return strReturn;
      }

      if (cookieGet(window.location.href)=='')
            {
            window.location.reload;
            document.cookie = window.location.href + "=done"
            }

0
Makr_Watson27Commented:
Sorry typo in the above cookie script
Change the reload line to

window.location.reload(true);
0
Makr_Watson27Commented:
jbarros: Did you ever get this working?  If so what was the answer?
0
PAQ_ManCommented:
PAQed with points refunded (500)

PAQ_Man
Community Support Moderator
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ASP

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.