tags:

views:

35

answers:

1
+1  Q: 

Viewstate seems to be hijacked inadvertently

Hi,

we are using asp.net 2.x, we use session state stored in sql server, 2 web servers in loadbalance, iis6.

our issue is that in the last 3 months we have had 2 cases where some one using our enquiry form has seen someone else's info e.g. first name and last name. We are not populating the form from objects in session so I have come to the conclusion that the second user has somehow received the viewstate from the first user, after that user has tried to submit and got an error e.g. has posted view state and returned the the same page and the other user has requested that page at the same time (must have been on the same server I am guessing if it is a viewstate issue).

have any of you experienced this before? some questions mulling around in my head is how does the worker process know to retun view state to a unique request and how does it determine a unique request etc..

+1  A: 

do you use asp.net caching?

in the past, there have been some known issues with caching and mismatched sessions in load controlled environments.

I believe this article talks about it http://msdn.microsoft.com/en-us/magazine/cc163577.aspx#S1

Sonic Soul  2010-06-09 15:48:42
thanks for the article, we do use kernel mode cache or response.output.cache with vary by param, the enquiry form is not added to the output cache. The odd thing is that this is a viewstate issue,I supsect the article was talking about session objects though,The key thing here is that we use custom controls so viewstate might be handled slightly differently plus the fact that the article mentions:OutputCacheModule sometimes fails to strip Set-Cookie headers from the cached responses it passes to Http.sys.. and connecting users...this could be serving up the same html in the next response...
dvr  2010-06-09 16:57:28
plus we are on win2003
dvr  2010-06-09 16:58:08
unless you override viewstate management in your custom controls, it should be pretty uniform with the rest of .net controls.. may be worth to investigate it more.. it also may be worth the effort to upgrade to the newer framework..
Sonic Soul  2010-06-09 17:21:57
I am going to add enableKernelOutputCache="false" - our enquiry form sits under a differenct app domain than the rest of the site, lets see if this works...
dvr  2010-06-10 08:20:03
cool let me know what you find!
Sonic Soul  2010-06-11 12:24:54

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?