Home All Groups Group Topic Archive Search About

2 IE Sessions Sharing The Same Per-Session Cookie!!

microsoft.public.inetserver.asp.general


Author
9 Mar 2006 2:25 PM
AnthonyC
I am having a problem tracking down what I believe to be a problem with the way cookies are being used on our website application.

When user log onto the application, an in-memory (per-session) cookie is created to hold the session key for the user. This unique key is assigned as part of the business layer logon process, and never changes while the user is logged on. The call to the business component returns this unique key if the logon was successful, and the cookie is set up as follows:

Response.Cookies("SessionKey").Path = "/"
Response.Cookies("SessionKey") = strSessionKey

Nowhere is the cookie assigned an .expires value.

Once a user has completed this logon process, they must then click past an intermediate agreement page before actually having access to the main application. When this intermediate page is submitted, it accesses the cookie, extracts the session identifier and writes the value to a database table.

The code to achieve this looks something like:

strSessionKey = Request.Cookies("SessionKey")
Dim objInstance
Set objInstance = Server.CreateObject("SomeComponent.SomeClass")
objInstance.StoreIdentifier strSessionKey
Set objInstance= nothing

The whole process works fine until I try to do the second stage (the intermediate agreement) with two separate IE sessions (there are 2 separate IEXPLORER.EXE entries in task manager) very quickly.

I can go through the whole process fine, and then while leaving the application open, I can start again with a new IE window and complete the process again. In each case the correct identifier is stored in the database for each separate session.

If I get to the second stage of the logon process with 2 separate IE sessions, and submit both agreement pages at the same time (or as close together as I can), then they both write the same unique session identifier to the database, as if they are accessing the same cookie! The session identifier used is the one from the first agreement page I submit. This definitely only happens if I do this at the same time. Wait a few seconds between the submissions and all is well.

Has anyone come across something like this before and can advise on a possible reason?

Thanks In Advance. -- AnthonyC ------------------------------------------------------------------------ Posted via http://www.codecomments.com ------------------------------------------------------------------------

Author
10 Mar 2006 8:48 AM
Anthony Jones
Show quote
"AnthonyC" <AnthonyC.24f***@mail.codecomments.com> wrote in message
news:AnthonyC.24fi9n@mail.codecomments.com...
>
> I am having a problem tracking down what I believe to be a problem with
> the way cookies are being used on our website application.
>
> When user log onto the application, an in-memory (per-session) cookie
> is created to hold the session key for the user. This unique key is
> assigned as part of the business layer logon process, and never changes
> while the user is logged on. The call to the business component returns
> this unique key if the logon was successful, and the cookie is set up
> as follows:
>
> Response.Cookies("SessionKey").Path = "/"
> Response.Cookies("SessionKey") = strSessionKey
>
> Nowhere is the cookie assigned an .expires value.
>
> Once a user has completed this logon process, they must then click past
> an intermediate agreement page before actually having access to the main
> application. When this intermediate page is submitted, it accesses the
> cookie, extracts the session identifier and writes the value to a
> database table.
>
> The code to achieve this looks something like:
>
> strSessionKey = Request.Cookies("SessionKey")
> Dim objInstance
> Set objInstance = Server.CreateObject("SomeComponent.SomeClass")
> objInstance.StoreIdentifier strSessionKey
> Set objInstance= nothing
>
> The whole process works fine until I try to do the second stage (the
> intermediate agreement) with two separate IE sessions (there are 2
> separate IEXPLORER.EXE entries in task manager) very quickly.
>
> I can go through the whole process fine, and then while leaving the
> application open, I can start again with a new IE window and complete
> the process again. In each case the correct identifier is stored in the
> database for each separate session.
>
> If I get to the second stage of the logon process with 2 separate IE
> sessions, and submit both agreement pages at the same time (or as close
> together as I can), then they both write the same unique session
> identifier to the database, as if they are accessing the same cookie!
> The session identifier used is the one from the first agreement page I
> submit. This definitely only happens if I do this at the same time.
> Wait a few seconds between the submissions and all is well.
>
> Has anyone come across something like this before and can advise on a
> possible reason?
>
> Thanks In Advance.
>
> --
> AnthonyC


Sounds like a race condition in the SessionKey creation routine.

If for example the SessionKey creation uses a sequence which depends on the
StoreIdentifier method having being called with other SessionKeys then a
race condition is possible.

Can you provide details on how the key is generated?  Any reason a GUID
won't work?

Or am I barking up the wrong tree?? :)

Anthony (J).

AddThis Social Bookmark Button

Post Other interesting topics
session timeout
How to control the size(width of a combo box generated in asp?)
Drop-Down Display vs. Value
Impersonating a user in x64
Java Script and ASP