Lions Den

The Code and Times of Hanan Schwartzberg

About Hanan | Hanan's CV | Contact Hanan

February 17, 2010

IIS7 Sessions Getting Crossed / Mixed Up / Copied

Filed under: ASP.NET,IIS7 — Tags: , , — Hanan Schwartzberg @ 10:25 pm

The symptom

Users reported seeing data that did not belong to them when they logged into their accounts. Logs showed that nearly 10% of our users were being assigned copies of other users’ sessions. The entire session object was copied, including the sessionVariables and sessionID. Once duplicated the individual sessions could be modified without affecting the other (i.e. abandoning one did not kill the other).

To spot instances of the problem I stored the Request.RemoteHost (The IP address of the computer making the request) in a sessionVariable. At the beginning of each request I checked to make sure the session’s IP matched the current request’s IP.

What is was not

It is possible that the IP would change naturally, most simply if a user reset his router/modem. This was not the case because it was happening way too often. Further, there were confirmed instances of one user’s data being crossed with another’s. Finally, some of the pairs of IPs weren’t just on different computer, but were in different countries.

It is also possible, and was often suggested, that sessionVariables can stop being unique if they are used with static/shared variables within the WebApp. This was not the case either, because the IP address I stored in the session was only written to once, from the request and afterwards was only read to compare back to the request. This was also ruled out because the SessionID was also duplicated and that is a read only value.

What is was

It is a feature/bug in IIS7. This latest version of IIS introduced some new caching features.

  1. IIS7 automatically caches static content, such as HTML pages, images, and style sheets.
  2. IIS7 now has the ability to cache dynamic content as well.

Caching dynamic content is great if it is a page such as a dynamically generated image gallery, or a page that is generated dynamically based on the browser’s culture. However, in this thread,, Anil Ruia, a Senior Software Design Engineer on the IIS Core, explains, “You should not be enabling output caching for any response which depends on session state.”

If the page generating the content depends on the session state, it caches the session object along with the rest of the page. The next user to come through ends up pulling the cached session, instead of getting a new one. When I checked our settings I found it was set to cache all .aspx pages for three minutes, including many pages that access the session.

The solution

Edit Cache Rule

In IIS7, disable the caching for .aspx pages in any directory with an page that depends on the session state. To do this:

  1. Run the Server Management console.
  2. Navigate to Roles -> Web Server (IIS) -> Internet Information Services.
  3. Select the site you wish to modify.
  4. Select the folder that contains the .aspx pages you need to turn caching off for.
  5. In the Feature View, double-click “Output Caching”.
  6. If there is a rule there already for the .aspx extension double click it. Otherwise right click and select “Add…”
  7. Enter .aspx for the “File name extension”
  8. Check “User-mode caching”
  9. Select “Prevent all caching”
  10. Check “Kernel-mode caching”
  11. Select “Prevent all caching”
  12. Click OK
  13. Close the Server management Console
Home | Site Design | Banner Design | Code Den | Offsite Posts | Downloads | Photography | About Hanan | Hanan's CV | Contact Hanan
Copyright © 2009 Hanan Schwartzberg. All rights reserved.