473,320 Members | 1,940 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

Individual ASPState session can be reused by multiple users?!

We are a software company that builds an ASP.Net web application which
implements cookieless sessionState with SQLServer- the session is stored in
the url. Our ASPState database has been built using the standard MS scripts.
The application is used by Admins to look at endusers accounts- permissions
dictate that certain admins have access to certain endusers.

Our Admins (who work from the same facility) have reported problems- stating
while looking at their end users account they are suddenly taken into another
administrators end user account that this other administrator is working on.
Turns out the sessions are criss-crossing.

An administrator bookmarked the login page which contained the session id,
(since ASP.Net creates the session immediately, before any authentication)
and later sent the bookmark to another admin to use. So when both admins log
in, they end up using the same session id and can see each others enduser
depending on who navigates where first with the browser. ASPState doesn't
bark that 2 individuals are using the same session.

This doesn't give us a happy fun feeling we usually have with the dot net
platform. Microsoft MUST already know about such a blatent issue. And we were
surprised that their sprocs that call the AspState tables don't check for
sessions that already exist when attempting to create an initial session.
Basically..

1. User1 uses bookmark with session inside of URL to hit login page.
2. ASPState stores session that was passed in.
3. User1 enters login information and successfully logs in.
4. User2 uses same bookmark with same session inside of url and hits login
page.
5. ASPState doesn't create a new session since it already exists.
6. User2 enters login info and successfully logs in.
7. User1 and User2 sessions are jumbled and private data is potentially
observed.

Does anyone know a way around this?
Jul 21 '05 #1
0 1629

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

0
by: Bryan Ax | last post by:
Quick question regarding best practices for using the AspState database for storing session variables in .NET web applications. I know I need to configure the web.config file with a database user...
2
by: Glenn Venzke | last post by:
I'm trying to put together a web form that lists all current session information. The session info is stored in SQL server database (ASPState) and I'm trying to retreive and display using a...
0
by: Eduardo Rosa | last post by:
Hi, I'm reading a ms tutorial about session in asp.net, and I' can't start the aspstate, somebody can help me? tutorial:...
2
by: MS | last post by:
Does anyone have the location for some documentation about how this works internally? I am trying to do some statistical analysis of sessions. I see some strange results with the created date...
0
by: Tony | last post by:
We are a software company that builds an ASP.Net web application which implements cookieless sessionState with SQLServer- the session is stored in the url. Our ASPState database has been built...
2
by: tcw | last post by:
We would like to use ASPState to handle the session State. Since we have several web applications (web sites) in our web server, do we have to create an ASPState database for each web application...
0
by: Kevin Jackson | last post by:
We are running a ASP.NET 1.1 web app on Windows Server 2003 SP1. We are using IIS 6.0 native mode and .NET 1.1 SP1 is installed. We have 3 web apps in our web farm. We are using SQLServer...
2
by: astuemky | last post by:
I don't know if I should post this here or in SQL Server, but thought I'd start here. We have been using the default ASPState database that microsoft creates for session state tracking. Even...
10
by: Man-wai Chang | last post by:
If two PCs from the same router connects to my web server, will unique session IDs be generated for each connection? In fact, is there an article talking about how PHP generates session cookies?...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
0
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.