使用 StateServer 的 ASP.NET 会话混淆(可怕！) [英] ASP.NET Session Mix-up using StateServer (SCARY!)

问题描述

我们在会话中存储两个对象.不知何故，来自另一个用户的一个对象被加载到另一个用户的会话中.用户本应无权访问这些特定数据，一旦他们看到这些数据，他们就知道有些不对劲.

We store two objects in session. Somehow, one of the objects from another user got loaded into a different user's session. The user should have had no access to this particular data, and as soon as they saw it they knew something was very wrong.

我们有提供给他的数据的视觉证据，除非会议混淆，否则肯定不可能发生.这是一个我们无法弄清楚的非常可怕的情况(我们无法重现它).我们唯一的答案是责怪 ASP.NET StateServer 将会话变量混在一起，这是完全不能接受的，并且让我们处于不利的境地.

We have visual proof of the data that was presented to him, and there is certainly no way it could've happened unless the sessions got mixed up. This is a very scary situation which we can not figure out (we can not reproduce it). The only answer for us is to blame ASP.NET StateServer for mixing the session variables up, which is completely unacceptable and puts us in a bad position.

我们的应用程序是在带有 IIS6 的 Windows Server 2003 上运行的 ASP.NET 2.0 应用程序，使用 StateServer cookieless="false" 会话模式和 FormsAuthentication.

Our applications are ASP.NET 2.0 apps running on Windows Server 2003 with IIS6, using the StateServer cookieless="false" session mode and FormsAuthentication.

有没有其他人遇到过这个问题?我们该如何解决?

Has anybody else had this problem? How can we resolve it?

推荐答案

我们在我之前的公司遇到了这个确切的问题，并花了 3 周的时间来调试它.ASP.NET 为用户提供了其他人的会话状态.在调试环境中真的无法复制.

We ran into this exact issue in my previous company and took 3 weeks to debug it. ASP.NET was giving a user someone else's session state. It was really impossible to duplicate in a debug environment.

当我们发现它只是 web.config 中的一些东西时的修复.我不太记得了，所以我花了一些时间在谷歌上搜索.我相信这个问题与输出缓存有关.看看会话和输出缓存"下的这篇文章.

The fix when we found it was just something in web.config. I don't fully remember it, so I spent some time googling. I believe the issue had something to do with output caching. Take a look at this article under "Sessions and Output Caching".

http://download.microsoft.com/download/3/a/7/3a7fa450-1f33-41f7-9e6d-3aa95b5a6aea/MSDNMagazineJuly2006en-us.chm(文章标题为通过避免这 10 个常见的 ASP.NET 陷阱 作者:Jeff Prosise，MSDN 杂志 2006 年 7 月版)

http://download.microsoft.com/download/3/a/7/3a7fa450-1f33-41f7-9e6d-3aa95b5a6aea/MSDNMagazineJuly2006en-us.chm (the article is titled Keep Sites Running Smoothly By Avoiding These 10 Common ASP.NET Pitfalls by Jeff Prosise in July 2006 edition of MSDN magazine)

如果这听起来像您的情况，那么修复可能只是禁用 web.config 中的 enableKernelOutputCache 选项.

If that sounds like your scenario, then the fix might just be disabling the enableKernelOutputCache option in web.config.

祝你好运.

这篇关于使用 StateServer 的 ASP.NET 会话混淆(可怕！)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！