btw: it's an ssl connection

I forgot to mention that the the connection is ssl-secured so a proxy can't
be the reason after all.

"Benjamin Janecke" wrote:

ok, I'm gonna try. However, we don't have a proxy server and the users don't
have one either. Do you think it could be a proxy operated by the user's ISP?



"George Ter-Saakov" wrote:

Most likely you are dealing with Caching issues.

If those users behind a same proxy server then it's quite possible that
proxy cahcing your pages.

I would advice add Response.Expires = -1 for all your pages.




George.


"Benjamin Janecke" <BenjaminJanecke@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:C194187E-462E-49B9-B330-C85357887DCA@xxxxxxxxxxxxxxxx
Hi,

we're struggling with a strange session problem in an ASP.NET 2.0
application. The application is used by our customers to access
customer-related information such as invoices over the internet. Customer
have to log-in and are then identified by their customer number and some
other information stored in the session. We use the asp.net session cookie
system to keep track of the sessions. This works quite well. Unfortunately
though, we receive occasional reports that customers are able to see and
open
the invoices of another customer that has recently logged-in. This happens
immediately after completing the log-in page. Interestingly, after opening
an
invoice and clicking the "back" button of the browser, the correct data is
displayed and it is no longer possible to access the other user's data.
We've
been investigating this issue for a while now and I can provide the
following
information:

- the users use their own computer and do not share it with others
- there is no bug in the application in terms of customer identification.
Each customer has to log-in with their very own customer number and
password.
- it doesn't seem to be a browser-specific issue
- there are no static members in the asp.net application
- we cannot reproduce the behavior as it seems to happen sporadically

Two more things might be interesting to mention: the asp.net-website is
used
at two different locations of our overall company website. one location
opens
the site in a new window, the other location uses frames. The error only
occurrs if the site is embedded in a frame.

The website uses the "SecureSessionModule" provided by msdn magazine. It's
a
custom http request handler that adds some machine-specific information to
the session id in order to make it more secure. However, I dont think this
module causes the error since it does nothing special.

I guess that some browsers on some machines have problems with session
handling if the page is embedded in a frame and therefore do not send the
session cookie to the server. However, this does not explain why ASP.NET
attaches the user to another running session (instead of raising an error)
and it does also not explain why the correct session is used after
clicking
the browser's "back" button. Could it be that IIS performs some output
caching or something similar which causes this error?

I would really like to solve this problem (not only by getting rid of the
frameset) so any helpful suggestions would be highly appreciated.

regards,
Benjamin



.