Different users get the same cookie - value in .ASPXANONYMOUS

Question

My site allows anonymous users. I saw that under heavy load anonymous users get sometimes profile values from other users.

I first delete my cookies and get a valid unique value in the cookie value .ASPXANONYMOUS. After a couple of requests I get a new value for .ASPXANONYMOUS which is already used by another user. I see in my loggs that there are always a couple of users who share the same value in .ASPXANONYMOUS.

I can see in the my logs that 2 or more users realy get the same cookievalue for .ASPXANONYMOUS even if they have different IP.

Here is the htttp traffic. In the second image the changing cookie is shown (You have to display the image full size do be able to read the log):

One of the many requests that work ok:

alt text http://img413.imageshack.us/img413/2711/log1.gif

Then there is this one request that changes the cookie alt text http://img704.imageshack.us/img704/8175/log2.gif

Then the new cookie is used

alt text http://img704.imageshack.us/img704/3818/log3.gif

Just to be safe I removed dependency injection. I dont use OutputCaching.

My web.config has this setting for authentication:

 <anonymousIdentification enabled="true" cookieless="UseCookies" cookieName=".ASPXANONYMOUS" 
      cookieTimeout="30" cookiePath="/" cookieRequireSSL="false" cookieSlidingExpiration="true" />

  <authentication mode="Forms">
        <forms loginUrl="~/de/Account/Login" />
    </authentication>

Does anybody have an idea what else I could log or what I should have a look at?

UPDATE

I saw now that the http-traffic I showed is perfectly valid. A changing value in .ASPXANONYMOUS is something that happens because the cookie gets refreshed. The value contains AnonymousID and a Timestamp.

This does not lead to users having the same value in .ASPXANONYMOUS under normal conditions.

The problem realy is, that whenever the cokies get set from the AnonymousIdentificationModule, then there is a chance that a couple of user get this cookie. Setting a cookie in my application doesnt have this strange sideefect.

Answer 1

I had the same problem and solution was to turn off output caching for the responses where you call SetCookie. Below are several links describing this

• Don’t let your cookie being cached by accident!
• ASP.NET Session Mix-up using StateServer (SCARY!)
• Integrated Pipeline and the kernel-mode cache

Answer 2

Are you declaring any static variables in your code at all? I had this similar issue, and narrowed it down to that; at least for my situation.