ContextSessionSecurityToken being overwritten when second user logs in

Question

I have an issue occurring in a single production environment that is very head scratching.

You have two users, A and B. User A logs in, everything works fine. User B logs in, and after user B logs in, user A now has the same security token as user B.

Our WIF setup is fairly standard, we inject some custom claims on the token, but everything else looks standard as far as how the token is being created and stored(Handled by WIF).

Feel like I may be running into some weird edge case with WIF that I am not familiar with

Update: Both A and B can be on separate machines, or separate browsers on the same machine.

Where we get the token when requesting a service

if (HttpContext.Current == null)
    return null;

if (HttpContext.Current.Cache == null)
    return null;

if (FederatedAuthentication.SessionAuthenticationModule == null)
    return null;

if (FederatedAuthentication.SessionAuthenticationModule.ContextSessionSecurityToken == null)
    return null;

var sessionToken = FederatedAuthentication.SessionAuthenticationModule.ContextSessionSecurityToken;
if (sessionToken.ClaimsPrincipal == null)
    throw new InvalidOperationException("The ClaimsPrincipal property of the FederatedAuthentication.SessionAuthenticationModule.ContextSessionSecurityToken object is null");
if (sessionToken.ClaimsPrincipal.Identities == null)
    throw new InvalidOperationException("The ClaimsPrincipal.Identities sub-property of the FederatedAuthentication.SessionAuthenticationModule.ContextSessionSecurityToken object is null");
if (sessionToken.ClaimsPrincipal.Identities.Count == 0)
    throw new InvalidOperationException("The ClaimsPrincipal.Identities sub-property of the FederatedAuthentication.SessionAuthenticationModule.ContextSessionSecurityToken object has no identities");
if (sessionToken.ClaimsPrincipal.Identities[0] == null)
    throw new InvalidOperationException("The first identity in the ClaimsPrincipal.Identities sub-property of the FederatedAuthentication.SessionAuthenticationModule.ContextSessionSecurityToken object is null");
if (sessionToken.ClaimsPrincipal.Identities[0].Claims == null)
    throw new InvalidOperationException("The first identity in the ClaimsPrincipal.Identities sub-property of the FederatedAuthentication.SessionAuthenticationModule.ContextSessionSecurityToken object as a null Claims property");

return TokenUtility.GetDelegatedToken(IssuedTokenTypes.UserProfile | IssuedTokenTypes.AccountPermissions, sessionToken);

If I add logging here I can see the sessionToken.ClaimsPrincipal.Identity.Name differs from the name it is supposed to be at this point.

Answer 1

Are your relying party and STS(WIF) Server hosted on same IIS using same Application pool? If yes then try by using different application pool as worker process sometimes use to mess up the things. Hope this will help you.