jbarros
asked on
Same SessionID returned in 2 different machines
Using VB.NET, IIS5, W2K Adv SP3 all patches, .net 1.0 SP2, VS.NET 2002
Using forms authentication, persistent cookie = false
I would gladly give all my points for an answer but max is 500 pts... Please help!
Recently my asp.net app is returning wrong data to users. Users frequently
get data that should only be seen by other user.
Upon authentication against database in the login page, I set auth cookie
and fill some session variables like userid, user role ... this info is
then read and used as criteria for database query.
In search for an answer I set a hidden field = session.sessionID.tostring
that gets filled every page_load and discovered that sometimes the
sessionID returned is exactly the same in two browsers running in two
different machines. Also noticed that when this happens to user B, user A
had been recently logged.
I Know that if users use the same machine/browser, sessionID is the same and lives for the browser instance lifetime. Also aware that two browsers instance share the same sessionID but this is not the question. Users are miles away from each other...
I thought I was changing session data somewhere in my app, thus the
described errors, but now I understand that as the browser gets a sessionID
that is already being used by another user in another machine my queries get the session
values of the other user and not the current user
I also noticed that sometimes the hidden field of user A of page1.aspx was
sessionID ex. xxxxaaaa... and when navigating to another page the sessionID
value was diferent but = to sessionID of user B
Also tested if on page_load, SessionID <> Hidden Field Value , redirect to
login page, and sometimes users are redirected meaning that the sessionID
is not the same...
More details on my config that might be relevant:
All pages have EnableSessionState=True
Have session_start and session_end counting number of users online in
global.asax
Have connection String defined as a constant in global.asax
Have Application_Error in global.asax sending e-mail whith Server.GetLastError
IIS has not expiration(no-cache) defined
Please Help, Looking for a resolution for some days, read dozens of
threads, my books, msdn ... no way... Losing users trust... :(
Thanks
B
Using forms authentication, persistent cookie = false
I would gladly give all my points for an answer but max is 500 pts... Please help!
Recently my asp.net app is returning wrong data to users. Users frequently
get data that should only be seen by other user.
Upon authentication against database in the login page, I set auth cookie
and fill some session variables like userid, user role ... this info is
then read and used as criteria for database query.
In search for an answer I set a hidden field = session.sessionID.tostring
that gets filled every page_load and discovered that sometimes the
sessionID returned is exactly the same in two browsers running in two
different machines. Also noticed that when this happens to user B, user A
had been recently logged.
I Know that if users use the same machine/browser, sessionID is the same and lives for the browser instance lifetime. Also aware that two browsers instance share the same sessionID but this is not the question. Users are miles away from each other...
I thought I was changing session data somewhere in my app, thus the
described errors, but now I understand that as the browser gets a sessionID
that is already being used by another user in another machine my queries get the session
values of the other user and not the current user
I also noticed that sometimes the hidden field of user A of page1.aspx was
sessionID ex. xxxxaaaa... and when navigating to another page the sessionID
value was diferent but = to sessionID of user B
Also tested if on page_load, SessionID <> Hidden Field Value , redirect to
login page, and sometimes users are redirected meaning that the sessionID
is not the same...
More details on my config that might be relevant:
All pages have EnableSessionState=True
Have session_start and session_end counting number of users online in
global.asax
Have connection String defined as a constant in global.asax
Have Application_Error in global.asax sending e-mail whith Server.GetLastError
IIS has not expiration(no-cache) defined
Please Help, Looking for a resolution for some days, read dozens of
threads, my books, msdn ... no way... Losing users trust... :(
Thanks
B
are you or your clients using a proxy? it may be a proxy cache problem, in this case add
the time as variable in your querystring to force a cache miss
the time as variable in your querystring to force a cache miss
ASKER
Thanks for the reply,
How can a proxy be related to this problem? In fact my users are behind proxies. I do not use query string. Most of the user data I need is in the session variables...
Already using pragma and no-cache directives. IIS is set to expire content.
I just don't understand what is happening... If a new browser instance starts a new session, and that session is guaranteed to be unique, how can two browsers have the same value?
I think that each browser as a unique sessionID but iis sends a response to the wrong user and assigns a sessionID that belongs to another browser instance in another machine (as described in initial post).
B
How can a proxy be related to this problem? In fact my users are behind proxies. I do not use query string. Most of the user data I need is in the session variables...
Already using pragma and no-cache directives. IIS is set to expire content.
I just don't understand what is happening... If a new browser instance starts a new session, and that session is guaranteed to be unique, how can two browsers have the same value?
I think that each browser as a unique sessionID but iis sends a response to the wrong user and assigns a sessionID that belongs to another browser instance in another machine (as described in initial post).
B
ASP Session IDs are not unique...but should be in your situtation, unless you're in a load-balanced situation.
I know you've read a lot but please look at:
http://www.microsoft.com/technet/prodtechnol/iis/iis5/reskit/iis50rg/iischp6.asp?frame=true
There is a paragraph in there relating to non-unique session ids
Also do you set any session variables during your session_onstart
I know you've read a lot but please look at:
http://www.microsoft.com/technet/prodtechnol/iis/iis5/reskit/iis50rg/iischp6.asp?frame=true
There is a paragraph in there relating to non-unique session ids
Also do you set any session variables during your session_onstart
Sorry, having read and re-read your original posting (and some more) I will have to step out of this one as it is beyond me
I hope someone can come to your rescue
I hope someone can come to your rescue
ASKER
In search for a solution, my data queries are now based on cookie values. Users are authenticated and user data is set up in the UserData portion of the authentication ticket.
So I am not setting any session values like user ID or User role anymore. I think this means that my problem (my BIG problem) is not session related.
Before I saw your post I had already deployed the cookie based solution. And the same problem ocurred. Users are viewing other users info. In the hidden field that gets the sessionID value the sessionID is the same. The problem seems to occur intermitently.
So I set output caching off, but not in all pages, that's true. Thought this was the solution but, although users complain less, it happened again. I think you are correct and that it is a cache / proxy related issue.
This is how I set outputcache off
But I do not now if I am doing it the good way, please advise:
I Read Microsoft's Caching Architecture Guide for .NET Framework Applications for guidance and so, in some of the pages, I set on 1st line of Page_Load (not checking IsPostBack):
Response.Cache.SetCacheabi lity(HttpC achebility .NoCache)
Also on the aspx page I set:
<% Page Language="vb" .... %>
<%
Response.Expires = - 1
Response.Expiresabsolute = now()
Response.AddHeader ("pragma","no-cache")
Response.CacheControl = "no-cache"
%>
<HTML>
<HEAD>
<TITLE>....
I do have one user control on my default.aspx page with a <%OutputCache Duration = "84000" VaryByParam="None"%> but I thinks this is called fragment caching and does not influence how the page is or is not cached in browser/proxies.
Also set IIS virtual directory of this app HTTP HEADERS configured to Enable Content Expiration = Expire Immediatly.
Is this the correct way? I noticed that users browsers now return a message about content expiration. But should'nt the back button always return this message. I think it is also important to know that if users hit the F5 key they get the correct page. The problem seems to occur when number of users reach 15-30.
Thank You
B
So I am not setting any session values like user ID or User role anymore. I think this means that my problem (my BIG problem) is not session related.
Before I saw your post I had already deployed the cookie based solution. And the same problem ocurred. Users are viewing other users info. In the hidden field that gets the sessionID value the sessionID is the same. The problem seems to occur intermitently.
So I set output caching off, but not in all pages, that's true. Thought this was the solution but, although users complain less, it happened again. I think you are correct and that it is a cache / proxy related issue.
This is how I set outputcache off
But I do not now if I am doing it the good way, please advise:
I Read Microsoft's Caching Architecture Guide for .NET Framework Applications for guidance and so, in some of the pages, I set on 1st line of Page_Load (not checking IsPostBack):
Response.Cache.SetCacheabi
Also on the aspx page I set:
<% Page Language="vb" .... %>
<%
Response.Expires = - 1
Response.Expiresabsolute = now()
Response.AddHeader ("pragma","no-cache")
Response.CacheControl = "no-cache"
%>
<HTML>
<HEAD>
<TITLE>....
I do have one user control on my default.aspx page with a <%OutputCache Duration = "84000" VaryByParam="None"%> but I thinks this is called fragment caching and does not influence how the page is or is not cached in browser/proxies.
Also set IIS virtual directory of this app HTTP HEADERS configured to Enable Content Expiration = Expire Immediatly.
Is this the correct way? I noticed that users browsers now return a message about content expiration. But should'nt the back button always return this message. I think it is also important to know that if users hit the F5 key they get the correct page. The problem seems to occur when number of users reach 15-30.
Thank You
B
Add a custom HTTP Header on the IIS Web Site
Name:pragma
Value:no-cache
and
Name:cachecontrol
Value:no-cache
Restart IIS and see if this solves your problem
Name:pragma
Value:no-cache
and
Name:cachecontrol
Value:no-cache
Restart IIS and see if this solves your problem
How are you getting on with this?
Did the pragma on the web site/virtual directory work?
Did the pragma on the web site/virtual directory work?
ASKER
Thank You Makr for your help!
Still no solution...
Set IIS 5 , virtual directory of my app HTTP Headers to Cache-control: no-cache and Pragma: no-cache. For two days no calls about this issue. But today... it happened again, same session.ID in hidden field in two machines miles away from each other and even using different proxies (ISA), User B gets user A data. I realy don't understand how this is possible. So many web apps out there... working.
Also set this, on Page_Load
CacheMode(CacheType.Header NoCache)
Public Sub CacheMode(ByVal RequestedCacheMode As CacheType)
Select Case CacheType
Case CacheType.HeaderNoCache
HttpContext.Current.Respon se.Cache.S etCacheabi lity(HttpC acheabilit y.NoCache)
HttpContext.Current.Respon se.Cache.S etRevalida tion(HttpC acheRevali dation.All Caches)
HttpContext.Current.Respon se.Cache.S etNoStore( )
HttpContext.Current.Respon se.Cache.S etMaxAge(T imeSpan.Ze ro)
HttpContext.Current.Respon se.Cache.S etNoTransf orms()
HttpContext.Current.Respon se.Cache.S etNoServer Caching()
Case CacheType.HeaderPrivateYes Expires
HttpContext.Current.Respon se.Cache.S etCacheabi lity(HttpC acheabilit y.Private)
HttpContext.Current.Respon se.Cache.S etRevalida tion(HttpC acheRevali dation.All Caches)
HttpContext.Current.Respon se.Cache.S etNoStore( )
HttpContext.Current.Respon se.Cache.S etMaxAge(T imeSpan.Ze ro)
HttpContext.Current.Respon se.Cache.S etNoTransf orms()
HttpContext.Current.Respon se.Cache.S etExpires( Now.AddDay s(-2))
HttpContext.Current.Respon se.AddHead er("Pragma ", "no-cache")
Case CacheType.HeaderPrivateNoE xpires
HttpContext.Current.Respon se.Cache.S etCacheabi lity(HttpC acheabilit y.Private)
HttpContext.Current.Respon se.Cache.S etRevalida tion(HttpC acheRevali dation.All Caches)
HttpContext.Current.Respon se.Cache.S etNoStore( )
HttpContext.Current.Respon se.Cache.S etNoTransf orms()
HttpContext.Current.Respon se.AddHead er("Pragma ", "no-cache")
End Select
End Sub
Public Enum CacheType As Integer
HeaderNoCache = 0
HeaderPrivateYesExpires = 1
HeaderPrivateNoExpires = 2
End Enum
Is this correct?
I think it might be important to know that when user B gest user A data, it seems to get the page as the first time load, that is with some listboxes filled with the default data for that user.
The user control I'm using does not have user related data. It just caches some pure html and is intended to show that same data to all users. But my problem occurs in other pages. This implementation is recent and the problem was already occurring.
Another thought: IIS is using compression (xcompress 2.1 for IIS). Could this be related?
Please help, I'm going crazy, really.
B
Still no solution...
Set IIS 5 , virtual directory of my app HTTP Headers to Cache-control: no-cache and Pragma: no-cache. For two days no calls about this issue. But today... it happened again, same session.ID in hidden field in two machines miles away from each other and even using different proxies (ISA), User B gets user A data. I realy don't understand how this is possible. So many web apps out there... working.
Also set this, on Page_Load
CacheMode(CacheType.Header
Public Sub CacheMode(ByVal RequestedCacheMode As CacheType)
Select Case CacheType
Case CacheType.HeaderNoCache
HttpContext.Current.Respon
HttpContext.Current.Respon
HttpContext.Current.Respon
HttpContext.Current.Respon
HttpContext.Current.Respon
HttpContext.Current.Respon
Case CacheType.HeaderPrivateYes
HttpContext.Current.Respon
HttpContext.Current.Respon
HttpContext.Current.Respon
HttpContext.Current.Respon
HttpContext.Current.Respon
HttpContext.Current.Respon
HttpContext.Current.Respon
Case CacheType.HeaderPrivateNoE
HttpContext.Current.Respon
HttpContext.Current.Respon
HttpContext.Current.Respon
HttpContext.Current.Respon
HttpContext.Current.Respon
End Select
End Sub
Public Enum CacheType As Integer
HeaderNoCache = 0
HeaderPrivateYesExpires = 1
HeaderPrivateNoExpires = 2
End Enum
Is this correct?
I think it might be important to know that when user B gest user A data, it seems to get the page as the first time load, that is with some listboxes filled with the default data for that user.
The user control I'm using does not have user related data. It just caches some pure html and is intended to show that same data to all users. But my problem occurs in other pages. This implementation is recent and the problem was already occurring.
Another thought: IIS is using compression (xcompress 2.1 for IIS). Could this be related?
Please help, I'm going crazy, really.
B
LIke you I am running out of ideas.
One thing you could try to resolve the proxy caching issue is to create a new virtual directory with all the anti-cache headers and point it to your existing app.
I think this issue has occured and will continue to occur as the clients are caching, hence the idea about switching the virtual directory.
What I am trying to say (But probably not clearly) is that you should try creating a new web site so that anything that was cached is not relevant anymore as its not the same site.
The F5 issue is the pointer here that it is a caching issue. Have you tried using a cookie to force refresh at client side?
I know its a bad answer but the following script should reload the page once only
function cookieGet(strName)
{
var strSearch = strName + "="
var strReturn = "";
if (document.cookie.length > 0)
{
lngOffset = document.cookie.indexOf(st rSearch)
if (lngOffset != -1) {
lngOffset += strSearch.length
lngEnd = document.cookie.indexOf("; ", lngOffset);
if (lngEnd == -1)
lngEnd = document.cookie.length;
strReturn=unescape(documen t.cookie.s ubstring(l ngOffset, lngEnd))
}
}
return strReturn;
}
if (cookieGet(window.location .href)=='' )
{
window.location.reload;
document.cookie = window.location.href + "=done"
}
One thing you could try to resolve the proxy caching issue is to create a new virtual directory with all the anti-cache headers and point it to your existing app.
I think this issue has occured and will continue to occur as the clients are caching, hence the idea about switching the virtual directory.
What I am trying to say (But probably not clearly) is that you should try creating a new web site so that anything that was cached is not relevant anymore as its not the same site.
The F5 issue is the pointer here that it is a caching issue. Have you tried using a cookie to force refresh at client side?
I know its a bad answer but the following script should reload the page once only
function cookieGet(strName)
{
var strSearch = strName + "="
var strReturn = "";
if (document.cookie.length > 0)
{
lngOffset = document.cookie.indexOf(st
if (lngOffset != -1) {
lngOffset += strSearch.length
lngEnd = document.cookie.indexOf(";
if (lngEnd == -1)
lngEnd = document.cookie.length;
strReturn=unescape(documen
}
}
return strReturn;
}
if (cookieGet(window.location
{
window.location.reload;
document.cookie = window.location.href + "=done"
}
Sorry typo in the above cookie script
Change the reload line to
window.location.reload(tru e);
Change the reload line to
window.location.reload(tru
jbarros: Did you ever get this working? If so what was the answer?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Name:pragma
Value:no-cache
I have often found that the pragma header is the only effective way of stopping caching