ASP Session Swapping!!! HIPAA Compliancy Related!!!

[Chris]

Greetings!

I have a client that on 2 occasions has had their classic ASP Sessions
swapped with another user. We have a support site that uses the Session
object to store all of the relevant data, and one of the options on the
site
is to download txt files related to that client. When they log in they
go to
the area to download files, click on a file and it displays it in the
(same)
browser, they click back and it goes back to the listing of files. Both
occasions, reportedly they clicked back, had a long delay and then it would
give them a listing of the wrong clients files.

Oddly enough both times they got the listing of the wrong clients files, it
was the same clients files that appeared. We also display the name of the
client and the user, Session("client") and Session("login") and they were
different.

Once they log in to the site, none of the session variables are changed.

The server is running Windows 2003 Standard with IIS 6 (not IIS5 isolation
mode)

Any help would be greatly appreciated!!!!

 

[Mark Schupp]

Could be a browser cache problem. Can you repeat it on demand? If so see if
clearing the cache makes the correct page appear.

See http://www.aspfaq.com/show.asp?id=2022 for code to disable cacheing.

 

[Default User]

Its not a Cacheing problem, the client will see a session of a completely
different client in a different state even.

Thanks
Jerry Kizziar

 

[[MSFT]]

If so, it is necessary to check the logic you send the txt file based on
the client user account. When user click "back" button, the browser may
send a new request to the server, and the logic may misunderstand this
request.

Luke

 

[Jerry Kizziar]

I am taking this into account, also keep in mind that the session variables
only get set on login, and yet they are somehow changed to represent a
different user. The files that they download are stored in a specific
directory based upon the client number, and that client number is also stored
in the session object.

 

[[MSFT]]

In Client side, clear the IE local cache (Tools/Internet options/General,
click the "delete files" button, and close all IE window), will this
correct the problem?

Luke

 

[Chris]

In Client side, clear the IE local cache (Tools/Internet options/General,
click the "delete files" button, and close all IE window), will this
correct the problem?

Luke

Nope, tried that already, didn't help.

Thanks

 

[[MSFT]]

I suggest you may perform a http trace with some utilities like "network
monitor", to see exact content between your client and server. In the
content, you can find the session id pass from client and how server
response the request. We may find some clue for the problem.

Luke

 

[Bob Barrows [MVP]]

Chris,
I am having a similar issue. I have a customer Id session variable
that is being over written from a 2nd user of the same web application
on a different work station. I can reproduce the issue by logging on
my workstation and also logging on my laptop. Have you found an
answer to this issue yet?
It is an ASP.Net application created running on Framework 1.1 and
created with VS.Net 2002.

There was no way for you to know it, but this is a classic asp newsgroup.
While you may be lucky enough to find a dotnet-savvy person here who can
answer your question, you can eliminate the luck factor by posting your
question to a newsgroup where the dotnet-savvy people hang out. I suggest
microsoft.public.dotnet.framework.aspnet.

HTH,
Bob Barrows