Asp.net Sessions Getting Crossed / Mixed Up

Question

Few weeks ago we had one of our customers contacting us saying that sometimes when he creates an activity it gets created under someone else's name!

We did some troubleshooting and couldn't find anything. We asked the user to contact us the next time he was experiencing these issues. He did contact us and we were able to do a gotomeeting with him and see the issue with our own eyes.

It was not only the activities, he was recognized as someone else in the application. He had access to everything that other person should had access to. That was when we realized we are having a session mixed up issue.

A little bit about our code:
Like any other application we have a simple login page that user enter email and password and we authenticate them against our database and if they are valid we call FormsAuthentication.SetAuthCookie() to save current user id in the cookie and we let him in.

BL.User currentUser = BL.User.Authenticate(txtUsername.Text, txtPassword.Text);  if (currentUser != null) {     this.Session["NumberOfLoginTried"] = "0";     FormsAuthentication.SetAuthCookie(currentUser.UserID.ToString(), chRememberMe.Checked);     Response.Redirect(FormsAuthentication.GetRedirectUrl(currentUser.UserID.ToString(), false)); } 

We also use the following piece of code to get logged-in user id (current user) in our application.

public static int GetCurrentUserID() {     int userID = -1;     int.TryParse(HttpContext.Current.User.Identity.Name, out userID);     return userID; } 

And yes we did our homework and googled around and have seen the following two links:

http://lionsden.co.il/codeden/?p=446
ASP.NET Session Mix-up using StateServer (SCARY!)

We have disabled kernel-mode caching and user-mode caching for .aspx and .ascx files and this is still happening.

P.S- The app is running on Windows 2008 R2 with IIS 7.5. And we are NOT using cookieless session.

Answer 1

We have just had a very similar problem, which occured at random, seemingly un-reproducibly.

The problem turned out to be ASP.NETs Page caching mechanism - in our case the <%@ OutputCache tag in particular.

There was a line we had used <%@ OutputCache NoStore="true" Duration="1" %> that basically meant if two users accessed the same page within 1 second of each other they would see the same page (including the logged in username of the other user). So if they refreshed said page, they got the correct information.

In our case, changing said line to <%@ OutputCache NoStore="true" Duration="1" VaryByParam="*" %>, disabling kernel caching in IIS as in this link (http://lionsden.co.il/codeden/?p=446)

and adding the following lines to the Page_Load event of the page in question:

Response.CacheControl = "private"; Response.ExpiresAbsolute = DateTime.Now.AddDays(-1d); Response.Cache.SetCacheability(HttpCacheability.NoCache); 

Seems to have solved the problem for us. Hopefully this helps someone else with a similar issue.

Answer 2

We had the same problem and it was caused by the <clientCache/> setting in IIS, which by default fails to add the Cache-Control: private HTTP header. The lack of this header meant that our Forms Authentication cookies were being cached by downstream proxy servers! So when our site got busy, all of a sudden a load of users would suddenly get logged in as the wrong user! Nightmare.