views:

290

answers:

1

My site allows anonymous users. I saw that under heavy load anonymous users get sometimes profile values from other users.

I first delete my cookies and get a valid unique value in the cookie value .ASPXANONYMOUS. After a couple of requests I get a new value for .ASPXANONYMOUS which is already used by another user. I see in my loggs that there are always a couple of users who share the same value in .ASPXANONYMOUS.

I can see in the my logs that 2 or more users realy get the same cookievalue for .ASPXANONYMOUS even if they have different IP.

Here is the htttp traffic. In the second image the changing cookie is shown (You have to display the image full size do be able to read the log):

One of the many requests that work ok:

alt text

Then there is this one request that changes the cookie alt text

Then the new cookie is used

alt text

Just to be safe I removed dependency injection. I dont use OutputCaching.

My web.config has this setting for authentication:

 <anonymousIdentification enabled="true" cookieless="UseCookies" cookieName=".ASPXANONYMOUS" 
      cookieTimeout="30" cookiePath="/" cookieRequireSSL="false" cookieSlidingExpiration="true" />

  <authentication mode="Forms">
        <forms loginUrl="~/de/Account/Login" />
    </authentication>

Does anybody have an idea what else I could log or what I should have a look at?

UPDATE

I saw now that the http-traffic I showed is perfectly valid. A changing value in .ASPXANONYMOUS is something that happens because the cookie gets refreshed. The value contains AnonymousID and a Timestamp.

This does not lead to users having the same value in .ASPXANONYMOUS under normal conditions.

The problem realy is, that whenever the cokies get set from the AnonymousIdentificationModule, then there is a chance that a couple of user get this cookie. Setting a cookie in my application doesnt have this strange sideefect.

+1  A: 

Are you declaring any static variables in your code at all? I had this similar issue, and narrowed it down to that; at least for my situation.

TheGeekYouNeed
Sounds interesting! Right now I dont see how this could apply to my code. I only haveprivate static readonly ILog _log = LogManager.GetLogger(typeof(HomeController));And I dont log in the one action I touch right now. But that is a good lead anyway!
Malcolm Frexner
Have you looked at this other question here http://stackoverflow.com/questions/513782?tab=oldest#tab-top Maybe something in here can help?
TheGeekYouNeed