[Mono-aspnet-list] Users picking up other user's session info

dugc dugald at dolce.co.uk
Thu Sep 9 10:24:52 EDT 2010 


Hi All,

This one is a read head scratcher for me.

Some users are logging into my site and (very occasionally) are picking up
other users session info.  Sometimes it happens straight after logging in,
sometimes it happens on refreshing a page.  The user id and area code are
shown at the top of the page (each relating to a separate session object)
and sometimes you can press F5 several times in quick succession and get a
few different users names (and correct corresponding area codes) at the top
of the page.  It is very worrying and a serious security issue.

It only happens during busy times.  When it happens it is not just some of
the session info, but all of it (I store around 20 items in session
objects).

I use forms authentication and sessionState mode is 'inProc'.   Here is my
Web.config:

<configuration>
  	<system.web>
		<machineKey
validationKey="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
decryptionKey="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
validation="SHA1"/>
		<customErrors mode="Off"/>
		<authentication mode="Forms">
		  <forms loginUrl="login.aspx" timeout="480" name="cumbria_auth"
path="/cumbria">
		  </forms>
		</authentication>
		<authorization>
		  <deny users="?" />
		</authorization>
		<compilation defaultLanguage="c#" debug="false" batch="false"  />
		<globalization culture="en-GB" uiCulture="en-GB" fileEncoding="iso-8859-1"
/>
		 <sessionState mode="InProc"	timeout="480" />
		<httpRuntime executionTimeout="90"
			 maxRequestLength="4096"
			 useFullyQualifiedRedirectUrl="false"
			 minFreeThreads="15"
			 minLocalRequestFreeThreads="4"
			 appRequestQueueLimit="200" />
  	</system.web>
  	<appSettings>
		<add key="DBinfo" value="server=localhost;User
ID=XXXXX;Password=XXXXX;database=XXXXX" />
  	</appSettings> 
</configuration> 

I don't even know what to try to be honest; I recently upgraded from mono
1.1 to 2.4 (ubuntu server, official packages) and it is since then that this
has been an issue.  If anyone can even suggest somthing to try I would
really appreciate it.

Regards,  Dugald
-- 
View this message in context: http://mono.1490590.n4.nabble.com/Users-picking-up-other-user-s-session-info-tp2532955p2532955.html
Sent from the Mono - ASP.NET mailing list archive at Nabble.com.

More information about the Mono-aspnet-list mailing list