By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
440,070 Members | 1,237 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 440,070 IT Pros & Developers. It's quick & easy.

2 IE Sessions Sharing The Same Per-Session Cookie!!

P: n/a

I am having a problem tracking down what I believe to be a problem with
the way cookies are being used on our website application.

When user log onto the application, an in-memory (per-session) cookie
is created to hold the session key for the user. This unique key is
assigned as part of the business layer logon process, and never changes
while the user is logged on. The call to the business component returns
this unique key if the logon was successful, and the cookie is set up
as follows:

Response.Cookies("SessionKey").Path = "/"
Response.Cookies("SessionKey") = strSessionKey

Nowhere is the cookie assigned an .expires value.

Once a user has completed this logon process, they must then click past
an intermediate agreement page before actually having access to the main
application. When this intermediate page is submitted, it accesses the
cookie, extracts the session identifier and writes the value to a
database table.

The code to achieve this looks something like:

strSessionKey = Request.Cookies("SessionKey")
Dim objInstance
Set objInstance = Server.CreateObject("SomeComponent.SomeClass")
objInstance.StoreIdentifier strSessionKey
Set objInstance= nothing

The whole process works fine until I try to do the second stage (the
intermediate agreement) with two separate IE sessions (there are 2
separate IEXPLORER.EXE entries in task manager) very quickly.

I can go through the whole process fine, and then while leaving the
application open, I can start again with a new IE window and complete
the process again. In each case the correct identifier is stored in the
database for each separate session.

If I get to the second stage of the logon process with 2 separate IE
sessions, and submit both agreement pages at the same time (or as close
together as I can), then they both write the same unique session
identifier to the database, as if they are accessing the same cookie!
The session identifier used is the one from the first agreement page I
submit. This definitely only happens if I do this at the same time.
Wait a few seconds between the submissions and all is well.

Has anyone come across something like this before and can advise on a
possible reason?

Thanks In Advance.

--
AnthonyC
------------------------------------------------------------------------
Posted via http://www.codecomments.com
------------------------------------------------------------------------

Mar 10 '06 #1
Share this Question
Share on Google+
1 Reply


P: n/a

"AnthonyC" <An*************@mail.codecomments.com> wrote in message
news:An*************@mail.codecomments.com...

I am having a problem tracking down what I believe to be a problem with
the way cookies are being used on our website application.

When user log onto the application, an in-memory (per-session) cookie
is created to hold the session key for the user. This unique key is
assigned as part of the business layer logon process, and never changes
while the user is logged on. The call to the business component returns
this unique key if the logon was successful, and the cookie is set up
as follows:

Response.Cookies("SessionKey").Path = "/"
Response.Cookies("SessionKey") = strSessionKey

Nowhere is the cookie assigned an .expires value.

Once a user has completed this logon process, they must then click past
an intermediate agreement page before actually having access to the main
application. When this intermediate page is submitted, it accesses the
cookie, extracts the session identifier and writes the value to a
database table.

The code to achieve this looks something like:

strSessionKey = Request.Cookies("SessionKey")
Dim objInstance
Set objInstance = Server.CreateObject("SomeComponent.SomeClass")
objInstance.StoreIdentifier strSessionKey
Set objInstance= nothing

The whole process works fine until I try to do the second stage (the
intermediate agreement) with two separate IE sessions (there are 2
separate IEXPLORER.EXE entries in task manager) very quickly.

I can go through the whole process fine, and then while leaving the
application open, I can start again with a new IE window and complete
the process again. In each case the correct identifier is stored in the
database for each separate session.

If I get to the second stage of the logon process with 2 separate IE
sessions, and submit both agreement pages at the same time (or as close
together as I can), then they both write the same unique session
identifier to the database, as if they are accessing the same cookie!
The session identifier used is the one from the first agreement page I
submit. This definitely only happens if I do this at the same time.
Wait a few seconds between the submissions and all is well.

Has anyone come across something like this before and can advise on a
possible reason?

Thanks In Advance.

--
AnthonyC

Sounds like a race condition in the SessionKey creation routine.

If for example the SessionKey creation uses a sequence which depends on the
StoreIdentifier method having being called with other SessionKeys then a
race condition is possible.

Can you provide details on how the key is generated? Any reason a GUID
won't work?

Or am I barking up the wrong tree?? :)

Anthony (J).
Mar 10 '06 #2

This discussion thread is closed

Replies have been disabled for this discussion.