Session mix-up issue

Discussion in 'ASP .Net' started by Benjamin Sunil, Jan 21, 2010.

  1. We ran into a strange issue 2 days back in our client's production
    environment. A remote user, logs in and finds out that the data available in
    the web page are from a different user. The client environement is having
    ..net 3.5 running on Windows 2003 server connected to an Oracle 10g DB. The
    web server is on NLB and in a DMZ. The sessions are maintained In proc.

    We analysed the IIS logs and the network logs for that duration and were not
    able to conclude if this was a security issue or a genuine application
    related issue.

    Request your inputs in solving this issue.
    Benjamin Sunil, Jan 21, 2010
    #1
    1. Advertising

  2. Benjamin Sunil wrote:
    > We ran into a strange issue 2 days back in our client's production
    > environment. A remote user, logs in and finds out that the data
    > available in the web page are from a different user. The client
    > environement is having .net 3.5 running on Windows 2003 server
    > connected to an Oracle 10g DB. The web server is on NLB and in a DMZ.
    > The sessions are maintained In proc.
    >
    > We analysed the IIS logs and the network logs for that duration and
    > were not able to conclude if this was a security issue or a genuine
    > application related issue.
    >
    > Request your inputs in solving this issue.


    The problem appears to be that you're using NLB so any server could respond
    to the requests, but you're using in-process session state, so each server
    has its own version of that session's state. You need to have one machine
    looking after the session state for all the servers.

    "ASP.NET Session State"
    http://msdn.microsoft.com/en-us/library/ms972429.aspx

    Andrew
    Andrew Morton, Jan 21, 2010
    #2
    1. Advertising

  3. Andrew Morton, Jan 21, 2010
    #3
  4. Benjamin Sunil

    bruce barker Guest

    your application probably stores session/request info in a static
    variable (or vb module) so its shared between all requests.

    -- bruce (sqlwork.com)



    Benjamin Sunil wrote:
    > We ran into a strange issue 2 days back in our client's production
    > environment. A remote user, logs in and finds out that the data available in
    > the web page are from a different user. The client environement is having
    > .net 3.5 running on Windows 2003 server connected to an Oracle 10g DB. The
    > web server is on NLB and in a DMZ. The sessions are maintained In proc.
    >
    > We analysed the IIS logs and the network logs for that duration and were not
    > able to conclude if this was a security issue or a genuine application
    > related issue.
    >
    > Request your inputs in solving this issue.
    bruce barker, Jan 22, 2010
    #4
  5. Benjamin Sunil

    Mr. Arnold Guest

    Benjamin Sunil wrote:
    > We ran into a strange issue 2 days back in our client's production
    > environment. A remote user, logs in and finds out that the data available in
    > the web page are from a different user. The client environement is having
    > .net 3.5 running on Windows 2003 server connected to an Oracle 10g DB. The
    > web server is on NLB and in a DMZ. The sessions are maintained In proc.
    >
    > We analysed the IIS logs and the network logs for that duration and were not
    > able to conclude if this was a security issue or a genuine application
    > related issue.
    >
    > Request your inputs in solving this issue.


    Same application being used by two clients at about the same time. The
    session variables have the same names assigned being used in both
    sessions with the application. In affect, they are using the same memory.

    One user does a save, and the session variables are re-populated.
    However, the other user does something to cause a postback, and now, the
    user has the session variables information that were populated by the
    other user.

    The same application used by two or more users with session variables
    can step on each other's session variables in a InProc with session
    state in memory.

    The way you get around this is that each session variable name should
    have unique name base on some type of unique user information.

    As an example, if a user has a userid, that would be the uniqueness
    needed to segregate the session variables between the users.

    SessionVariableName + userid -- on a concatenation of
    SessionVariableName + userid will make the SessionVariableName unique to
    the user's session.

    The session variables will not be stepped on, if you make session-names
    unique to the user.
    Mr. Arnold, Jan 22, 2010
    #5
  6. Benjamin Sunil

    Mr. Arnold Guest

    Benjamin Sunil wrote:

    <snipped>

    I will say that it was happening with users that had the same
    application opened twice in the same session that inproc session
    variables were being stepped on, and the session variables were made
    unique within the same session.

    I recall now what I had to do to correct it.
    Mr. Arnold, Jan 22, 2010
    #6
  7. "Andrew Morton" wrote:

    > Benjamin Sunil wrote:
    > > We ran into a strange issue 2 days back in our client's production
    > > environment. A remote user, logs in and finds out that the data
    > > available in the web page are from a different user. The client
    > > environement is having .net 3.5 running on Windows 2003 server
    > > connected to an Oracle 10g DB. The web server is on NLB and in a DMZ.
    > > The sessions are maintained In proc.
    > >
    > > We analysed the IIS logs and the network logs for that duration and
    > > were not able to conclude if this was a security issue or a genuine
    > > application related issue.
    > >
    > > Request your inputs in solving this issue.

    >
    > The problem appears to be that you're using NLB so any server could respond
    > to the requests, but you're using in-process session state, so each server
    > has its own version of that session's state. You need to have one machine
    > looking after the session state for all the servers.
    >
    > "ASP.NET Session State"
    > http://msdn.microsoft.com/en-us/library/ms972429.aspx
    >
    > Andrew
    >
    >
    > .
    >


    Thanks much Andrew, but strangely in another client instance of the
    application, where there is no NLB, we faced the same issue. As explained by
    Arnold, this may be due to the same session name being used that gets
    populated to another user if there are accessing the application at the same
    time.

    Will explore on this, meanwhile if there are any inputs please do share as
    it will be helpful in solving this at the earliest.

    Thanks much,
    Benjamin
    Benjamin Sunil, Jan 29, 2010
    #7
  8. Benjamin Sunil wrote:
    > Thanks much Andrew, but strangely in another client instance of the
    > application, where there is no NLB, we faced the same issue. As
    > explained by Arnold, this may be due to the same session name being
    > used that gets populated to another user if there are accessing the
    > application at the same time.
    >
    > Will explore on this, meanwhile if there are any inputs please do
    > share as it will be helpful in solving this at the earliest.


    On the server not using load-balancing, does it happen to have Web Garden
    set to use more than one worker process for the Application Pool
    (Properties->Performance tab) for that web site? That has the same effect;
    using out-of-process session state is imperative in that case. Or else much
    "hilarity" ensues when we're testing.

    Andrew
    Andrew Morton, Jan 29, 2010
    #8
  9. Hi,

    Unfortunately, we encountered the same issue yesterday in the client
    environment. User1 gets details of User2 who had logged in earlier in the
    day. We have asked the client to disable the NLB for now and monitor for
    re-occurrence of this issue.

    Meanwhile will try out the session related solutions as advise.

    If there are any more inputs please do share.

    Thanks much.

    "Mr. Arnold" wrote:

    > Benjamin Sunil wrote:
    >
    > <snipped>
    >
    > I will say that it was happening with users that had the same
    > application opened twice in the same session that inproc session
    > variables were being stepped on, and the session variables were made
    > unique within the same session.
    >
    > I recall now what I had to do to correct it.
    > .
    >
    Benjamin Sunil, Feb 1, 2010
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. AFN
    Replies:
    5
    Views:
    401
    dilipdotnet at apdiya.com
    Feb 11, 2004
  2. =?Utf-8?B?UGF1cmF2aQ==?=

    Problem while reading excel file with mix datatypes

    =?Utf-8?B?UGF1cmF2aQ==?=, Mar 2, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    571
    Alvin Bruney [MVP]
    Mar 4, 2004
  3. =?Utf-8?B?Sg==?=

    ASP.NET /Classic ASP Security Mix

    =?Utf-8?B?Sg==?=, Jul 13, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    620
    Raterus
    Jul 13, 2004
  4. Urs Eichmann

    Mix Coldfusion and ASP.NET pages

    Urs Eichmann, Apr 1, 2005, in forum: ASP .Net
    Replies:
    5
    Views:
    913
    Steve C. Orr [MVP, MCSD]
    Apr 2, 2005
  5. jason
    Replies:
    0
    Views:
    774
    jason
    Aug 30, 2006
Loading...

Share This Page