S
Sebastian
Hello,
I've implemented an ASP.NET Application that is used by many people
concurrently. Each user logs on using Forms Authentication
(authentication against Active Directory). After logon succeeded,
additional data are saved into the session state (Session["ABC"] = new
CDE()) for the user that just logged on.
The problem now is that, if we look at the 3 users A, B and C using
the application concurrently, it happens very often that a user "hops"
between different session: in it's first request user A sees the data
that have been saved in its own session, after submitting the form he
gets the data from session of user B. The next request comes back with
the session data of user C, or A, or B. There's no pattern.
The users identity saved in the HttpContext (Context.User) is always
the right one: if user A logged on, he will be also in subsequent
requests. It's only the session state that isn't the right one ...
ASP.NET seem to mess up the session state! Looks like the state isn't
bound correctly to the single session, or the assignment of session
state back to a requests is buggy.
The application is running on a Win2K Server (no strange chars in the
server's name) with .NET Framework 1.1 on IIS 5. The most of the
security patches/updates are installed.
This strange behaviour can be seen as soon as the application is
configured with the cookieless="true" attribute. I tried to save the
session state using the "StateServer" instead of "InProc", but no
luck. There are no absolute links where the session id in the url can
be lost.
Setting cookieless="false" in web.config seems to solve the problem,
but that's not what I want ;-)
I'd be glad, if somebody could tell me what I'm doing wrong, or if
this a bug? I searched in various newsgroups, but found anything
helpful on this.
Thanks in advance.
Sebastian
I've implemented an ASP.NET Application that is used by many people
concurrently. Each user logs on using Forms Authentication
(authentication against Active Directory). After logon succeeded,
additional data are saved into the session state (Session["ABC"] = new
CDE()) for the user that just logged on.
The problem now is that, if we look at the 3 users A, B and C using
the application concurrently, it happens very often that a user "hops"
between different session: in it's first request user A sees the data
that have been saved in its own session, after submitting the form he
gets the data from session of user B. The next request comes back with
the session data of user C, or A, or B. There's no pattern.
The users identity saved in the HttpContext (Context.User) is always
the right one: if user A logged on, he will be also in subsequent
requests. It's only the session state that isn't the right one ...
ASP.NET seem to mess up the session state! Looks like the state isn't
bound correctly to the single session, or the assignment of session
state back to a requests is buggy.
The application is running on a Win2K Server (no strange chars in the
server's name) with .NET Framework 1.1 on IIS 5. The most of the
security patches/updates are installed.
This strange behaviour can be seen as soon as the application is
configured with the cookieless="true" attribute. I tried to save the
session state using the "StateServer" instead of "InProc", but no
luck. There are no absolute links where the session id in the url can
be lost.
Setting cookieless="false" in web.config seems to solve the problem,
but that's not what I want ;-)
I'd be glad, if somebody could tell me what I'm doing wrong, or if
this a bug? I searched in various newsgroups, but found anything
helpful on this.
Thanks in advance.
Sebastian