RE: Session IDs not unique?

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

prash,

The more I think about it and the more I learn about this kernel output
cache issue the more suspicious I am that this is causing my problem. I'm
definetly using IIS 6, and I'm guessing that I am using output caching on
some page that also uses session state. Additionaly, there must be some rare
scenario where a user requests the page that has output caching enabled
without having a current session cookie, and the page gets cached with the
"set cookie" header. Some subsequent requests to the cached page will then
switch users session id. Won't happen to everyone only those requesting the
page that got cached. The fact that it happens for a period of ~20 minutes
sure sounds like caching.

Thanks for the tip, I will respond to this post when I get verification one
way or another.

For others out there, here are some important links:

http://support.microsoft.com/default.aspx/kb/917072

http://msdn.microsoft.com/msdnmag/issues/06/07/WebAppFollies/default.aspx#S2

The second link is much more informative. If the author is correct however,
this is an ASP.NET bug not just a wierd scenario gottcha. Why in the world
hasn't this been addressed through an SP or at least hotfix or something.
I'm also kinda surprised that this isn't something people commonly run into
(perhaps it is and I'm just in the dark).

Thanks again.

"prash" wrote:

We seem to have the same problem. Did you try turning off kernel output cache?
prash
"Joe" wrote:

A user of one of our sites recently reported that they were "seeing someone
else's data". Naturally, this got many people in the organization VERY
concerned and I began to try and troubleshoot. Upon inspecting some custom
logs that our application keeps (in SQL server tables) I found that at the
time this user was on the site there were 7 users that signed in to our site
and were using the same session ID. These users all logged in over the
course of ~20 minutes. Getting curious, I check the logs for past
occurrences of this and found about 20 occurrences over the last year and
half. Each time within a time span of ~30 mins. several users signed in and
our log entry reports the same session ID for them.

I know it sounds unlikely that ASP.NET is assigning the same session ID to
multiple users (thus causing them to share session state) but everything I am
seeing so far is indicating that this is in fact the case. Can anyone think
of a scenario that could cause this to happen or seem like it is happening?

Thanks in advance for your help,
Joe
.

Relevant Pages

  • RE: Session IDs not unique?
    ... the actual data being put into session state is irrelevant) meaning they all ... See my other response to prash for what I think is likely to reveal my bug. ... Upon inspecting some custom ...
    (microsoft.public.dotnet.framework.aspnet)
  • RE: ISA 2004 Firewall client
    ... The green arrow only shows up when the client needs to initiate a ... firewall session. ... Part 3: I want to explain How the logs and sessions work: ... Collect the ISA firewall client configuration information ...
    (microsoft.public.windows.server.sbs)
  • Re: what would happen if
    ... Using the same account to log into the same server causes many issues with ... Microsoft MVP - Terminal Server ... he/she could get either session. ... Typically, if user1 logs in as Joe, then ...
    (microsoft.public.windows.terminal_services)
  • Re: what would happen if
    ... Using the same account to log into the same server causes many issues with ... Microsoft MVP - Terminal Server ... he/she could get either session. ... Typically, if user1 logs in as Joe, then ...
    (microsoft.public.windows.terminal_services)
  • Re: what would happen if
    ... Microsoft MVP - Terminal Server ... he/she could get either session. ... Typically, if user1 logs in as Joe, then ... the second person logs in using the *same* user account. ...
    (microsoft.public.windows.terminal_services)