.net Session.SessionID same on different computers

We are having an issue with Session.SessionID not getting a new ID for multiple users. A few users from different IP locations get the same Session.SessionID causing wrong Session Variable values to be returned. One computer is getting the same ID between Chrome and IE.

The server was restarted and the computers are still receiving the same SessionID. We changed from SQL Server Session to InProc Sessions and the same SessionID is still being generated for the same users.

We are just setting Sessions Variables and Not using forms authentication as this is being handled separately.

The server is Windows 2012 with IIS 8.0.

Please let me know if you need additional information.
youritstaffAsked:
Who is Participating?
 
youritstaffAuthor Commented:
We found the issue. Believe it or not, it was the url. The user that sent the invitation had the SessionID embedded in the url. A handful of users consistently used it.

I don't understand why IIS wouldn't create a new id if that particular one didn't exist anymore. Are there any suggested best practices to prevent this in the future? I saw where some are creating the SessionIDs based on user/IP/browser/etc. But I would think that IIS 8.0 would try to do a better job at handling this vulnerability.

Thanks for your assistance.
0
 
käµfm³d 👽Commented:
Is your server behind a load balancer or reverse proxy?
0
 
youritstaffAuthor Commented:
Yes, behind load balancer. But we have it directing to one server since this issue has started.
0
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
käµfm³d 👽Commented:
If you remove the load balancer from the equation altogether, do you still experience the issue?
0
 
youritstaffAuthor Commented:
I'm checking with the infrastructure group to see if they can make that happen. Have you seen issues like this in the past with SessionIDs and Load Balancers?
0
 
käµfm³d 👽Commented:
I haven't, but another team in my group had issue with session hijacking. I double-checked with them, and their issue turned out to be related to AppFabric, though.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.