Session is lost on new request in classic asp site

Question

This isn't easy to explain, but I'll try my best.

The issue has started happening in a site that was built some years ago using classic asp, the symptom is that the administrators log-in using a form and then an session variable is set, but suddendly when they request a new page they are prompted again to log-in.

This problem isn't specific to any browser, I've reproduced the problem with Firefox and IE8.

Using Fiddler I can see that suddenly the server sends a new Set-Cookie header, despite a previous session cookie being sent in the request.

From that moment, the server will switch between the two sessions randomly, none of the sessions seem expired, they preserve their own variables, but for the user it's useless because he might be asked to login and then the form data is processed in the already logged-in session.

What can I try to find out the problem?

The server is a shared hosting with IIS6, the hosting company isn't too friendly but the cost of moving everything to other place makes things stay as is.

Thanks.

Some further info: Showing the machine name as suggested by Aaron D. always shows the same name, but I had stored the start time of the application in global.asa:

Sub Application_OnStart()
    Application("Start") = now()
End Sub

And it turns out that when showing that info in a test page it does change as the detected session changes. So there are two servers (with the same name) or somehow it's running twice the application. Is it possible?

Answer 1

I have a couple ideas but nothing definitive.

1. Are some requests over HTTPS and others over HTTP? Are the cookies set to only transfer over secure connections?

2. Are your requests alternating between a subdomain and the primary domain? Example, some requests go to www.foo.com and others to foo.com? The cookies may not be shared between the two unless you set the domain inside the cookie. This could also happen with multiple subdomains.

3. This one is a less common, but is the company hosting your site on multiple servers that are distributing the load? You could tell this by creating a page as specified here: http://mentaljetsam.wordpress.com/2008/01/29/classic-asp-code-to-print-current-server-name/
   If this turns out to be the case, the solution with be to change your session state model from "InProc" to use a shared resource such as a database.

4. Are you sure that it switches you between sessions and doesn't just expire your session away? It could be that your app is restarting (based on your edit) and this is killing your sessions, but the cached result makes it look like it's still valid. Can you try doing hard refreshes and/or check the results with an HTTP traffic watcher like Fiddler? That might give you a better clue about what requests are actually going across the wire.