用户附加到其他用户的会话 [英] User attached to other user's session
问题描述
我们正在努力应对ASP.NET 2.0
应用程序中的奇怪会话问题。我们的客户使用该应用程序访问与客户相关的信息,例如互联网上的发票。客户
必须登录,然后通过他们的客户编号和一些
存储在会话中的其他信息进行识别。我们使用asp.net会话cookie
系统来跟踪会话。这非常有效。不幸的是,
但我们偶尔会收到一些报告,客户可以看到并打开最近登录的另一位客户的发票。完成登录页面后立即发生这种情况。
。有趣的是,在打开
发票并点击返回后,浏览器的按钮,显示正确的数据
,无法再访问其他用户的数据。我们已经暂时调查了这个问题,我可以提供以下
信息:
- 用户使用他们自己的计算机而不与他人共享
- 在客户身份识别方面,应用程序中没有错误。
每个客户都必须登录他们自己的客户编号和密码。
- 它似乎不是特定于浏览器的问题
- asp.net应用程序中没有静态成员
- 我们无法重现这种似乎偶尔发生的行为
还有两件事可能会引起注意:使用asp.net网站
在我们整个公司网站的两个不同位置。一个位置打开
网站在新窗口中,另一个位置使用框架。如果网站嵌入框架中,则只出现错误
。
网站使用SecureSessionModule由msdn杂志提供。它是一个
自定义http请求处理程序,它将一些特定于机器的信息添加到会话ID中,以便使其更安全。但是,我不认为这个
模块会导致错误,因为它没有什么特别的。
我想某些机器上的某些浏览器会出现问题
处理页面是否嵌入到框架中,因此不会将
会话cookie发送到服务器。但是,这并不能解释为什么ASP.NET
将用户附加到另一个正在运行的会话(而不是引发错误)
并且它也没有解释为什么正确的会话在点击
之后使用浏览器的返回按钮按钮。可能是IIS执行了一些输出
缓存或类似的东西会导致这个错误吗?
我真的很想解决这个问题(不仅仅是通过获取摆脱
框架集)所以任何有用的建议都将受到高度赞赏。
问候,
本杰明
Hi,
we''re struggling with a strange session problem in an ASP.NET 2.0
application. The application is used by our customers to access
customer-related information such as invoices over the internet. Customer
have to log-in and are then identified by their customer number and some
other information stored in the session. We use the asp.net session cookie
system to keep track of the sessions. This works quite well. Unfortunately
though, we receive occasional reports that customers are able to see and open
the invoices of another customer that has recently logged-in. This happens
immediately after completing the log-in page. Interestingly, after opening an
invoice and clicking the "back" button of the browser, the correct data is
displayed and it is no longer possible to access the other user''s data. We''ve
been investigating this issue for a while now and I can provide the following
information:
- the users use their own computer and do not share it with others
- there is no bug in the application in terms of customer identification.
Each customer has to log-in with their very own customer number and password.
- it doesn''t seem to be a browser-specific issue
- there are no static members in the asp.net application
- we cannot reproduce the behavior as it seems to happen sporadically
Two more things might be interesting to mention: the asp.net-website is used
at two different locations of our overall company website. one location opens
the site in a new window, the other location uses frames. The error only
occurrs if the site is embedded in a frame.
The website uses the "SecureSessionModule" provided by msdn magazine. It''s a
custom http request handler that adds some machine-specific information to
the session id in order to make it more secure. However, I dont think this
module causes the error since it does nothing special.
I guess that some browsers on some machines have problems with session
handling if the page is embedded in a frame and therefore do not send the
session cookie to the server. However, this does not explain why ASP.NET
attaches the user to another running session (instead of raising an error)
and it does also not explain why the correct session is used after clicking
the browser''s "back" button. Could it be that IIS performs some output
caching or something similar which causes this error?
I would really like to solve this problem (not only by getting rid of the
frameset) so any helpful suggestions would be highly appreciated.
regards,
Benjamin
推荐答案
它是你代码中的一个错误。你可能在vb模块(或c#static)中存储对会话数据的引用
,导致数据在所有
请求中共享。
- 布鲁斯(sqlwork.com)
Benjamin Janecke写道:
its a bug in your code. you probably store a reference to session data
in a vb module (or c# static), causing the data to be shared across all
requests.
-- bruce (sqlwork.com)
Benjamin Janecke wrote:
我们正在努力解决ASP.NET 2.0
应用程序中的奇怪会话问题。我们的客户使用该应用程序访问与客户相关的信息,例如互联网上的发票。客户
必须登录,然后通过他们的客户编号和一些
存储在会话中的其他信息进行识别。我们使用asp.net会话cookie
系统来跟踪会话。这非常有效。不幸的是,
但我们偶尔会收到一些报告,客户可以看到并打开最近登录的另一位客户的发票。完成登录页面后立即发生这种情况。
。有趣的是,在打开
发票并点击返回后,浏览器的按钮,显示正确的数据
,无法再访问其他用户的数据。我们已经暂时调查了这个问题,我可以提供以下
信息:
- 用户使用他们自己的计算机而不与他人共享
- 在客户身份识别方面,应用程序中没有错误。
每个客户都必须登录他们自己的客户编号和密码。
- 它似乎不是特定于浏览器的问题
- asp.net应用程序中没有静态成员
- 我们无法重现这种似乎偶尔发生的行为
还有两件事可能会引起注意:使用asp.net网站
在我们整个公司网站的两个不同位置。一个位置打开
网站在新窗口中,另一个位置使用框架。如果网站嵌入框架中,则只出现错误
。
网站使用SecureSessionModule由msdn杂志提供。它是一个
自定义http请求处理程序,它将一些特定于机器的信息添加到会话ID中,以便使其更安全。但是,我不认为这个
模块会导致错误,因为它没有什么特别的。
我想某些机器上的某些浏览器会出现问题
处理页面是否嵌入到框架中,因此不会将
会话cookie发送到服务器。但是,这并不能解释为什么ASP.NET
将用户附加到另一个正在运行的会话(而不是引发错误)
并且它也没有解释为什么正确的会话在点击
之后使用浏览器的返回按钮按钮。可能是IIS执行了一些输出
缓存或类似的东西会导致这个错误吗?
我真的很想解决这个问题(不仅仅是通过获取摆脱
框架集,所以任何有用的建议都将受到高度赞赏。
问候,
本杰明
Hi,
we''re struggling with a strange session problem in an ASP.NET 2.0
application. The application is used by our customers to access
customer-related information such as invoices over the internet. Customer
have to log-in and are then identified by their customer number and some
other information stored in the session. We use the asp.net session cookie
system to keep track of the sessions. This works quite well. Unfortunately
though, we receive occasional reports that customers are able to see and open
the invoices of another customer that has recently logged-in. This happens
immediately after completing the log-in page. Interestingly, after opening an
invoice and clicking the "back" button of the browser, the correct data is
displayed and it is no longer possible to access the other user''s data. We''ve
been investigating this issue for a while now and I can provide the following
information:
- the users use their own computer and do not share it with others
- there is no bug in the application in terms of customer identification.
Each customer has to log-in with their very own customer number and password.
- it doesn''t seem to be a browser-specific issue
- there are no static members in the asp.net application
- we cannot reproduce the behavior as it seems to happen sporadically
Two more things might be interesting to mention: the asp.net-website is used
at two different locations of our overall company website. one location opens
the site in a new window, the other location uses frames. The error only
occurrs if the site is embedded in a frame.
The website uses the "SecureSessionModule" provided by msdn magazine. It''s a
custom http request handler that adds some machine-specific information to
the session id in order to make it more secure. However, I dont think this
module causes the error since it does nothing special.
I guess that some browsers on some machines have problems with session
handling if the page is embedded in a frame and therefore do not send the
session cookie to the server. However, this does not explain why ASP.NET
attaches the user to another running session (instead of raising an error)
and it does also not explain why the correct session is used after clicking
the browser''s "back" button. Could it be that IIS performs some output
caching or something similar which causes this error?
I would really like to solve this problem (not only by getting rid of the
frameset) so any helpful suggestions would be highly appreciated.
regards,
Benjamin
" Benjamin Janecke" < ************* @ discussion.microsoft.com写在
消息新闻:C1 *************** ******************* @ microsof t.com ...
"Benjamin Janecke" <Be*************@discussions.microsoft.comwrote in
message news:C1**********************************@microsof t.com...
我真的想解决这个问题问题(不仅仅是摆脱了
框架集),所以任何有用的建议都将受到高度赞赏。
I would really like to solve this problem (not only by getting rid of the
frameset) so any helpful suggestions would be highly appreciated.
你在任何地方使用静态(在VB.NET中共享)变量......?
Are you using static (Shared in VB.NET) variables anywhere...?
没有。
我也没有使用任何外部模块,而且我没有在任何地方存储
会话的引用。这是一个简单的asp.net应用程序,只使用webservices
。
" Mark Rae"写道:
No.
I''m also not using any external modules and I''m not storing a reference to
the session anywhere. This is a simple asp.net application using webservices
only.
"Mark Rae" wrote:
" Benjamin Janecke" < ************* @ discussion.microsoft.com写在
消息新闻:C1 *************** ******************* @ microsof t.com ...
"Benjamin Janecke" <Be*************@discussions.microsoft.comwrote in
message news:C1**********************************@microsof t.com...
我真的想解决这个问题问题(不仅仅是摆脱了
框架集),所以任何有用的建议都将受到高度赞赏。
I would really like to solve this problem (not only by getting rid of the
frameset) so any helpful suggestions would be highly appreciated.
您是否在任何地方使用静态(在VB.NET中共享)变量......?
Are you using static (Shared in VB.NET) variables anywhere...?
这篇关于用户附加到其他用户的会话的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
