tags:

views:

53

answers:

1
Q: 

Users are getting other user's session!

I have two .NET websites, which is setup to share sessions in-between via SQL db.

The website stores and retrieves session as using session("MY_Session").add and Session("MY_Session"). What gets stored is basically a custom class with their username and name.

The parent website is setup in IIS using DefaultAppPool and then the secondary site is setup as virtual directory application in the same pool.

I am not quite sure how it is set up on SQL for the sessions as I did not put it in.

In the web.config for both applications, it is set as follows:

sessionState mode="SQLServer" 
sqlConnectionString="server=xxxxx;uid=uuuu;pwd=pppppp;Application Name=NNNNNN"/

Users are claiming that they sometimes open up their browser and go to the site and find that other people's information (from within the same organisation) is appearing...

Anyone able to tell me what I am doing wrong and what to do next please?

+1  A: 

This could be a caching issue, if there is a proxy server involved -- make sure any personalised content is correctly flagged so that it is not shared between clients.

A header like this should improve matters:

Cache-Control: private

Rowland Shaw  2010-09-15 11:31:04
Thank you for the advice. So that will hopefully force users' pc to refresh from the server but I am confused why they would grab someone else's session? I mean, these people are claiming that they didn't enter any username or password and are able to navigate the whole site and access other people's information comepletely! almost like a session hijack
Ichirichi  2010-09-15 12:19:00
I am safe to assume they are using different pc's?
Spooks  2010-09-15 12:39:00
@Ichirichi It may be the case that the session isn't being shared, but content generated based on the session has been cached by an intermediate proxy and given to a different client without the request going all the way back to your server.
Rowland Shaw  2010-09-15 12:53:45

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps