ASP Session Swapping!!! HIPAA Compliancy Related!!!

J

Jerry Kizziar

Greetings!

I have a client that on 2 occasions has had their classic ASP Sessions
swapped with another user. We have a support site that uses the Session
object to store all of the relevant data, and one of the options on the site
is to download txt files related to that client. When they log in they go to
the area to download files, click on a file and it displays it in the (same)
browser, they click back and it goes back to the listing of files. Both
occasions, reportedly they clicked back, had a long delay and then it would
give them a listing of the wrong clients files.

Oddly enough both times they got the listing of the wrong clients files, it
was the same clients files that appeared. We also display the name of the
client and the user, Session("client") and Session("login") and they were
different.

Once they log in to the site, none of the session variables are changed.

The server is running Windows 2003 Standard with IIS 6 (not IIS5 isolation
mode)

Any help would be greatly appreciated!!!!
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,483
Members
44,902
Latest member
Elena68X5

Latest Threads

Top