Session mix-up issue

We ran into a strange issue 2 days back in our client's production 
environment. A remote user, logs in and finds out that the data available in 
the web page are from a different user. The client environement is having 
..net 3.5 running on Windows 2003 server connected to an Oracle 10g DB. The 
web server is on NLB and in a DMZ. The sessions are maintained In proc. 

We analysed the IIS logs and the network logs for that duration and were not 
able to conclude if this was a security issue or a genuine application 
related issue.

Request your inputs in solving this issue.
0
Utf
1/21/2010 10:33:01 AM
dotnet.framework.aspnet 1425 articles. 0 followers. Follow

8 Replies
1943 Views

Similar Articles

[PageSpeed] 21

Benjamin Sunil wrote:
> We ran into a strange issue 2 days back in our client's production
> environment. A remote user, logs in and finds out that the data
> available in the web page are from a different user. The client
> environement is having .net 3.5 running on Windows 2003 server
> connected to an Oracle 10g DB. The web server is on NLB and in a DMZ.
> The sessions are maintained In proc.
>
> We analysed the IIS logs and the network logs for that duration and
> were not able to conclude if this was a security issue or a genuine
> application related issue.
>
> Request your inputs in solving this issue.

The problem appears to be that you're using NLB so any server could respond 
to the requests, but you're using in-process session state, so each server 
has its own version of that session's state. You need to have one machine 
looking after the session state for all the servers.

"ASP.NET Session State"
http://msdn.microsoft.com/en-us/library/ms972429.aspx

Andrew 


0
Andrew
1/21/2010 10:43:55 AM
Andrew Morton wrote:
> "ASP.NET Session State"
> http://msdn.microsoft.com/en-us/library/ms972429.aspx

Or the current version instead of the 10-year-old one:
http://msdn.microsoft.com/en-us/library/z1hkazw7.aspx

Andrew 


0
Andrew
1/21/2010 10:51:20 AM
your application probably stores session/request info in a static 
variable (or vb module) so its shared between all requests.

-- bruce (sqlwork.com)



Benjamin Sunil wrote:
> We ran into a strange issue 2 days back in our client's production 
> environment. A remote user, logs in and finds out that the data available in 
> the web page are from a different user. The client environement is having 
> .net 3.5 running on Windows 2003 server connected to an Oracle 10g DB. The 
> web server is on NLB and in a DMZ. The sessions are maintained In proc. 
> 
> We analysed the IIS logs and the network logs for that duration and were not 
> able to conclude if this was a security issue or a genuine application 
> related issue.
> 
> Request your inputs in solving this issue.
0
bruce
1/22/2010 2:08:01 AM
Benjamin Sunil wrote:
> We ran into a strange issue 2 days back in our client's production 
> environment. A remote user, logs in and finds out that the data available in 
> the web page are from a different user. The client environement is having 
> .net 3.5 running on Windows 2003 server connected to an Oracle 10g DB. The 
> web server is on NLB and in a DMZ. The sessions are maintained In proc. 
> 
> We analysed the IIS logs and the network logs for that duration and were not 
> able to conclude if this was a security issue or a genuine application 
> related issue.
> 
> Request your inputs in solving this issue.

Same application being used by two clients at about the same time. The 
session variables have the same names assigned being used in both 
sessions with the application. In affect, they are using the same memory.

One user does a save, and the session variables are re-populated. 
However, the other user does something to cause a postback, and now, the 
user has the session variables information that were populated by the 
other user.

The same application used by two or more users with session variables 
can step on each other's session variables in a InProc with session 
state in memory.

The way you get around this is that each session variable name should 
have unique name base on some type of unique user information.

As an example, if a user has a userid, that would be the uniqueness 
needed to segregate the session variables between the users.

SessionVariableName + userid -- on a concatenation of 
SessionVariableName + userid will make the SessionVariableName unique to 
the user's session.

The session variables will not be stepped on, if you make session-names 
unique to the user.

0
Mr
1/22/2010 4:14:39 AM
Benjamin Sunil wrote:

<snipped>

I will say that it was happening with users that had the same 
application opened twice in the same session that inproc session 
variables were being stepped on, and the session variables were made 
unique within the same session.

I recall now what I had to do to correct it.
0
Mr
1/22/2010 4:37:32 AM

"Andrew Morton" wrote:

> Benjamin Sunil wrote:
> > We ran into a strange issue 2 days back in our client's production
> > environment. A remote user, logs in and finds out that the data
> > available in the web page are from a different user. The client
> > environement is having .net 3.5 running on Windows 2003 server
> > connected to an Oracle 10g DB. The web server is on NLB and in a DMZ.
> > The sessions are maintained In proc.
> >
> > We analysed the IIS logs and the network logs for that duration and
> > were not able to conclude if this was a security issue or a genuine
> > application related issue.
> >
> > Request your inputs in solving this issue.
> 
> The problem appears to be that you're using NLB so any server could respond 
> to the requests, but you're using in-process session state, so each server 
> has its own version of that session's state. You need to have one machine 
> looking after the session state for all the servers.
> 
> "ASP.NET Session State"
> http://msdn.microsoft.com/en-us/library/ms972429.aspx
> 
> Andrew 
> 
> 
> .
> 

Thanks much Andrew, but strangely in another client instance of the 
application, where there is no NLB, we faced the same issue. As explained by 
Arnold, this may be due to the same session name being used that gets 
populated to another user if there are accessing the application at the same 
time.

Will explore on this, meanwhile if there are any inputs please do share as 
it will be helpful in solving this at the earliest.

Thanks much,
Benjamin
0
Utf
1/29/2010 7:46:01 AM
Benjamin Sunil wrote:
> Thanks much Andrew, but strangely in another client instance of the
> application, where there is no NLB, we faced the same issue. As
> explained by Arnold, this may be due to the same session name being
> used that gets populated to another user if there are accessing the
> application at the same time.
>
> Will explore on this, meanwhile if there are any inputs please do
> share as it will be helpful in solving this at the earliest.

On the server not using load-balancing, does it happen to have Web Garden 
set to use more than one worker process for the Application Pool 
(Properties->Performance tab) for that web site? That has the same effect; 
using out-of-process session state is imperative in that case. Or else much 
"hilarity" ensues when we're testing.

Andrew 


0
Andrew
1/29/2010 9:25:41 AM
Hi,

Unfortunately, we encountered the same issue yesterday in the client 
environment. User1 gets details of User2 who had logged in earlier in the 
day. We have asked the client to disable the NLB for now and monitor for 
re-occurrence of this issue.

Meanwhile will try out the session related solutions as advise. 

If there are any more inputs please do share.

Thanks much. 

"Mr. Arnold" wrote:

> Benjamin Sunil wrote:
> 
> <snipped>
> 
> I will say that it was happening with users that had the same 
> application opened twice in the same session that inproc session 
> variables were being stepped on, and the session variables were made 
> unique within the same session.
> 
> I recall now what I had to do to correct it.
> .
> 
0
Utf
2/1/2010 12:29:01 PM
Reply:

Similar Artilces:

Buffer copy issue
Hello, I'm trying to copy the content of a 16 byte buffer into another one. The content of the original buffer is: 0x05 0x00 0x00 0x00 0xf5 0xff 0xff 0xff 0x05 0x00 0x00 0x00 0x00 0xff 0x00 0xff for (int i=0; i<16; i++) { bufferOut[i]=mesg[i]; } When I try this, bufferOut only has 0x05. What am I missing here? Thanks for all your help. <licheca@gmail.com> wrote in message news:5afe659d-5d7d-4cd5-860a-3f60f84ffa81@d70g2000hsb.googlegroups.com... > Hello, > > I'm trying to copy the content of a 16 byte buffer into another one. > The content of the origi...

Inbound mail issue after upgrade
I recently went from an exchange 2000 server to 2003 but installed it on another server. I had both servers rnning side-by-side and then I moved all teh mailboxes a little at a time. Well, everything has been moved and I haven't taken the old server out of the mix yet until I am sure that it all works on the new server independantly. It seems the only issue that I have is with SMTP. I currently have all teh EXCHANGE services stopped on teh old box but when I stop the SMTP service I stop receiving mail. Once I put the SMTP service back on I receive mail again. Can anyone tell m...

Malicious SMTP sessions invasion <<
W2003 server w/SP1, w/Symantec AV 10.1; Exchange 2003 w/SP1; Symantec Mail Security 5.0.2; 20 email users. My message queue is being invaded by malicious SMTP session (i.e., 1-800eatSH**.com, 0733.com, net.br, etc.) I have been FREEZING the smtp session, then deleteing the message(s) in the session. I have some 20+ of these buggers there. Question: How do I prevent these malicious SMTP sessions from coming into Exchange? With a commercial internet gateway software to prevent these from getting thru? What kind of internet gateway software would you recommend? Thank you for your time ...

Excel 2007 issue...Urgent
I have a pivot table which has some fields. I also need to create an average of 1 field divided by the total shown in the pivot. THis inturn needs to be charted. Is there a way to put in the average field ? For e.g the field names are product, quantity. I need the field to average the quantity for each product and divide by the total quantity (given at the bottom of the pivot). Please help !!! Its urgent !!!! Thanks, AK Excel 2007 PivotTable, PivotChart Average/Sum % http://c0444202.cdn.cloudfiles.rackspacecloud.com/12_10_09.xlsx ...

Manually issue and receive raw material to production unit
Hi, we are working in production enviornment and in some production units we are not calculating the labors and other over heads(later on we will go for this). For such production units i don't want to generate MO because routings and operations not yet decieded, my implementation partner told me to use adjustment method to solve this problem but i want to avoid adjustments in inventory as much as i can. can some body give me the soloution? Thanks malik, If you're not using an MO, what is the entity to which you want to charge the raw materials? Do you want to just charge the r...

Problem with session
Hi, I have a really big problem with session in my CRM, any time in the day the session expire!! I have changed the session time in IIS but dosn't work. I really don't no what I have to do. In Web.Config I see that line <sessionState mode="InProc" timeout="180"/> it's normally ? thanks ...

OAB issue #2
Hello, Can you help me in fixing the 2 errors related to Offline address book. OALGen will skip user entry 'user1,test' in address list '\Global Address List' because the legacyExchangeDN 'ADCSuppressReplication' is invalid. - ABC Offline Address List Entry 'user2,test' has invalid or expired e-mail certificates. These certificates will not be included in the offline address list for '\Global Address List'. - ABC Offline Address List -- Vinod Kumar Expired certs are fine and you dont need to worry about them. For the users that are being...

Character Set Mix
Hello, I have created my website in my Home PC using Pub2003, before 1 month i have copy all pub-files in my laptop ( i use the same version Pub2003) and i work form there. My websites are mostly in greek language so when i open the pub file in my laptop and i press the ALT-SHIFT to change the language i always get the following message: "If you remap your keyboard to another character set, you may mix characters in your publication. This mix of characters may not show correctly in a browser. If you want to map your keyboard to a different character se pless OK to ...

issue with dialog
Hi all I am making a dialog based application. Now when we press "Esc" button then dialog is closed. Now I want to stop this activity that is if press Esc button then dialog should not be closed. Please help ( better if provide some code snippet for implementing this) Thanks override yourdialog::OnOK() and yourdialog::OnCancel(), don't call their base implementation( CDialog::OnOK()/OnCancel()) . you also need to override yourdialog::OnSysCommand(), check if(SC_CLOSE == nID ) EndDialog(0); Override OnCancel in your dialog and do nothing in it. This will have a side effect...

The session and session ID is being reused between multiple browsers
Hi, I have an internal asp.net 3.5 intranet application that includes only one page. Based on requirements, each user can open multiple browser window and use the application. The problem is when users open the second browser window, the session ID is same as the 1st browser. That means once a session is created by the 1st browser window, subsequent browsers use the same session. The only way to have a new session ID is to close all of the browser windows and the open a new one. Sessions are shared with the same type of browsers. (IE with IE, FF with FF and Chrome with ...

Storing a Per User Per Session Variable
Hello All is there a way to store a number, generated by a table autonumber when a user "logs in", into a VBA variable of some kind that i can call again when the user is about to exit? would that be more efficient than storing it in a text box on my main always open form? -- As always, any and all help appreciated! :) Storing it in a text box on an always open form is actually better, since public variables can get reset by errors. -- Doug Steele, Microsoft Access MVP http://I.Am/DougSteele (no private e-mails, please) "DawnTreader" <DawnTr...

Excel in multiple sessions
A collegue is attempting to access data using vlookup in a spreadsheet from a second spreadsheet which is opened in a separate session on his workstation. It appears that multiple sessions of excel can't 'see' each other. Collegue needs to have multiple sessions as he uses lots of spreadsheets with LOTS of formulas. Attempting to open these sheets in single session usually results in crashes and lost work. Does anyone out there know anything about this? Using Excel 2000 on Windows 2000 Professional sp4. Thanks =vlookup() worked ok for me--but by having the workbooks in separ...

Mixing scatter plot with a category plot
How do you combine a scatter plot (showing numbers on axis) with a category plot (showing categories) and a line graph that is within the area of the category plot? Can Excel 2007 do this and how? All the source data is in one worksheet. -- Janet A. Excel 2007 Chart Combine XY and Column Series. Primary with category, secondary with numbers. http://www.mediafire.com/file/jlwecvcnkik/03_24_10.xlsx Excel 2007 Mixed Line/Bar Chart Another example: http://c0718892.cdn.cloudfiles.rackspacecloud.com/03_24_10a.xlsm ...

Pivot Table Memory Issue
Pivot Table Memory Issue - Excel crashes Excel crashes when a save is perform just after a pivot table refresh. Source data for the pivot table is on another worksheet within the same workbook. Data on that page is dragged in from a database. Pivot table has to have a few columns and rows. Data is not saved when saved. No other apps are running and a PC reboot had just been done before opening the workbook. Can any advise be given? -- ---------------------------- Regards, Richard Sterling Senior Software Engineer Tel : +44 (0)1707 392200 ext 4815 Avaya ECS Ltd, United Kingdom mailto:r...

Disconnect OWA Session?
Is there a way to immediately disable a users OWA session with Exchange 2003? For example, if a remote user who uses OWA is terminated from the company but has an active OWA session, how can you prevent them from being able to continue working with this open OWA session? Can I cut off the session from IIS? "Papa" <Papa@discussions.microsoft.com> wrote in message news:6B5DCECB-D6D8-4066-9354-5852495AFE40@microsoft.com... > Is there a way to immediately disable a users OWA session with Exchange 2003? > For example, if a remote user who uses OWA is terminated from the c...

Multiple SMTP issue
I currently have a recipient policy that contains multiple SMTP addresses. companya.com and companyb.com with companya.com as the primary. Everything was working fine and all users could receive e-mail via both addresses. However, any new users setup can only receive e-mail via the companyb.com address. Their e-mail adresses properties correctly show both addresses. I can telnet to the server via port 25 and successfully submit e-mail to the primary address, but it never is delivered and does not show stuck in any queue. Also, no NDR's are generated. All the existing users can still...

New sp2 for exchnage makes owa clear the session
We have an ssl site that has a link to owa in it. The users login to the site at the applicatuion level. They have an AD account and that AD name/password is stored in our db so when they click on a link it can automatically select that data from the db and log them into an owa page popup. They do not know their AD account info as its just for mail access. This works fine but since the new sp2 for exchnage was applied, logging out of owa clears the session and also logs them out of our website. So when they logout of mail and try to go to another page on the site they are redirected to the mai...

expression issues on totals
I've checked out the prior messages regarding the error message that appears when attempting to run a report (The expression is typed incorrectly, or is too complicated to be evaluated......). The query i based the report on runs fine. The report, Land Record report, does not. The only fields that I could forsee having any issues are numerical fields where I have subtotals and totals. The subtotals are grouped by Segment (yes, such a field). This is an example of the language - =Sum([State Amount]) Again, state amount is a field. I have the same language for the totals, excep...

open sessions on RODC
Hi all There seem to be a large number of ports connected from the RODC (137.1.210.1), to RWDC (137.1.202.37) via port 49156 (137.1.210.1), some time hundreds actually. Network services group claims this is consuming most of the bandwidth link because each is 2KB and some times there are hundreds of these connections . Is this normal activity or behavior for RODCs ? I don't believe we have any issues in other sites where there RWDC only RODCs seem to exhibit this issue? TCP 137.1.210.1:53517 137.1.202.37:49156 ESTABLISHED [lsass.exe] TCP 137.1...

Administrative Groups: thinking ahead while still in mixed mode
We are one of many companies probably living in mixed-mode while upgrading their 5.5 servers to AD/2000 and/or 2003. We are more centralized as far as management than we wre back in the 5.5 days. Now with 2003 we can re-think our administrative groups... or can we? For example, our global HQ would manage all servers in the US and Canada at the very least. There are maybe 3 major sites that would need to do their own user creation, but would not need to touch the servers themselves in any way. In the 5.5 world we had about 30 sites all over te US due to poor wan connectivity (among other ...

Excel 97 to Excel XP upgrade issue
I'm about to upgrade a group of three users to Windows XP, Office XP. One user is on Windows 98, Office 97. The other two are on WinXP, Office 2000. They use Excel heavily with Bloomberg for trading purposes. The users are opposed to this upgrade due to issues between them and the old I.T. department. They claim there were "all kinds of problems" the last time they attempted upgrades. Before continuing with the upgrade again, I've been asked to get a statement from Microsoft saying what, if any issues there are with the following: 1. Pivot table issues between Ex...

Shading Issue
I'm using Word 2003, SP3. I shaded the title at the top of the page, and the page break at the bottom of the page becomes automatically shaded, too. If I delete the shading in the page break, the shading disappears on the title at the top of the page. This has been an issue for many years. I'm finally getting to asking how to resolve it. Thank you. Connie Instead of inserting a manual page break, format the heading as "Page break before" on the Line and Page Breaks tab of Format | Paragraph. -- Suzanne S. Barnhill Microsoft MVP (Word) Words into Type ...

Terminal Session into terminal Session
Hi guys, I've installed windows 2008 with terminal services for desktop users. When user log into terminal session desktop it must launch one application published to another server (same 2008). The problem is that when user disconnect this application the session remain in waiting for reconnect (as if the session is broken). Someone can says me if terminal session into another terminal session is supported ? Why my application remain in broken state? thanks very much. Andrew On May 18, 11:28=A0am, Andrew <n...@tin.it> wrote: > Hi guys, > I've install...

Current Sessions in SMTP Virtual Server
Question, I set my SMTP Virtual Server to a Limit Number of Connections to a every low number. As a result, we get a lot of Event Viewer errors stating something like this.(Virtual Server 1: 88.119.195.195 maximum number of connections has been reached. Connection being closed). What's the effect on the connections being too low besides some e-mails will get delayed if the max connection is reached? Does it overload or underload my server? We get tons of SPAM. Is there anything within Exchange 2003 that we can set or configure to provent (or slow down) SPAM? We currently use Cl...

Mail Merger issues with Office 2003
I use an Excel template to do a query from a Remedy database and then use the Mail Merge feature of Word 2003 to pull the information from the Excel sheet into Word. This works fine under Office 2000 but some/most of the information is truncated when run under Office 2003. Does anyone know if this is a bug in Word 2003? I've run it on a system with up to 1GB of memory and still see the problem but when run on a system with Office 2000 with only 512MB of memory, the merge functions as expected. I can't share the data as it is proprietary. Thanks, ....Jim ...