用户之间混合的会话状态ID [英] Session state IDs mixed between users

问题描述

我已经尝试了几种途径，我很难过。问题

我面临的是一个奇怪的会话混淆的情况（即用户看到每个人b $ b其他人的数据）。显然这是在高峰加载时发生的。


配置为W2K3，包含ASP.NET 1.1，IIS6.0，无Cookie会话和

SQL Server作为会话国家后端。问题出现在InProc会议上

。


起初我以为我可能会在某处使用静态变量填充

会话数据，但唉似乎并非如此。


我写了一段代码作为一个简单的健全性检查 - 它存储了

会话状态下初始请求的用户代理和IP地址，如果由于某种原因他们在后续请求中不匹配，则会显示用户
/>
带有错误页面，会话数据被转储到日志文件中。


日志文件表明来自不同主机的连续几次请求

和/或用户代理已经发生了，所有这些都有相同的会话ID！


接下来我想也许我正在做一个Context.Response.Redirect在某个地方

'会弄乱会话ID，但我这样做的方法是将会话ID添加到

带有Context的重定向URL。 Response.ApplyAppPathModifier，并且永远不会手动构建URL。


（请注意，这似乎也发生在我生成的图像上，而且我' '

引用带有相对URL的图像）


根据我对代码的看法和对日志文件的简要介绍，似乎

明显的失败点是Session State http模块或

Context.Response.ApplyAppPathModifier。我宁愿在我的

代码中遇到问题，所以我可以解决它，所以如果有人能提供任何指示我可能会做的那些因为b
$ b这个，我很感激。


感谢您的时间，


-Lauri

Hi,

I''ve already tried several avenues for this, and am quite stumped. The issue
I''m facing is a weird case of sessions getting mixed up (ie. users seeing each
others'' data). Apparently this happens at peak load times.

The configuration is W2K3 with ASP.NET 1.1, IIS6.0, Cookieless sessions and
SQL Server as a Session State backend. The problem appears with InProc sessions
as well.

At first I thought I might be using a static variable somewhere to populate
session data, but alas that doesn''t seem to be the case.

I wrote a piece of code to act as a simple sanity check -- it stores the
user-agent and IP address of the initial request in the session state, and if
for some reason they don''t match on a subsequent request, the user is presented
with an error page and the session data is dumped to a log file.

The log file indicates that several consecutive requests from different hosts
and/or user agents have happened, with the same session id in all of them!

Next I''m thinking maybe I''m doing a Context.Response.Redirect somewhere
that''s messing the session id up, but the way I do it is I add the session id to
the redirect URL with Context.Response.ApplyAppPathModifier, and never manually
construct the URL.

(note that this seems to also happen with images I''m generating, and I''m
referring to the images with a relative URL)

Based on my look at the code and a brief glance at the log file it seems that
the obvious points of failure would be the Session State http module or
Context.Response.ApplyAppPathModifier. I''d much rather have the problem in my
code so I could fix it though, so if anyone can offer any pointers to what I
might be doing that causes this, I''d appreciate it.

Thanks for your time,

-Lauri

推荐答案

在旁注中，应用程序是一个HttpHandler（所有应用程序代码

驻留在单个.dll文件中，实现了IRequiresSessionState。

Hi,

On a side note, the application is an HttpHandler (all the application code
resides in a single .dll file) that implements IRequiresSessionState.

如果你写了一个简单的单页高需求测试程序来运行多个
$ b拥有你所写支票的$ b主机你还可以在日志中重现这些系统。


您确定日志条目不是多个来自

同一客户的请求。 ？


大声思考！


N先生


" Lauri Kotilainen" < RY **** @ gmail.com>在消息中写道

新闻：T5 ****************** @ reader1.news.jippii.net。 ..

If you wrote a simple one page high demand test program to run from multiple
hosts which has the checks you wrote can you still reproduce the symtoms in
the logs.

And are you sure that the log entries are not multiple requests from the
same client. ?

Just thinking aloud !

Mr N

"Lauri Kotilainen" <ry****@gmail.com> wrote in message
news:T5******************@reader1.news.jippii.net. ..

在旁注中，应用程序是一个HttpHandler（所有应用程序代码驻留在单个.dll文件中），它实现了IRequiresSessionState 。

Hi,

On a side note, the application is an HttpHandler (all the application
code resides in a single .dll file) that implements IRequiresSessionState.

您好，


感谢您的回复！


Newbie先生写道：

Hi,

Thanks for your reply!

Mr Newbie wrote:

如果您编写了一个简单的单页高需求测试程序，可以从多个
主机运行，这些主机具有您编写的检查，您仍然可以重现symtoms
日志。


基本上我根本无法重现这些症状（我们已经进行了测试设置，其中几十个人同时做同样的事情。
）。我能够测试日志代码，因为检查比较了远程地址和

用户代理，所以如果我将带有会话ID的URL复制到另一个浏览器，

检查被触发。

您确定日志条目不是来自同一客户端的多个请求。 ？

If you wrote a simple one page high demand test program to run from multiple
hosts which has the checks you wrote can you still reproduce the symtoms in
the logs.
Basically I can''t reproduce the symptoms at all (we''ve had test setups where
around a dozen of people do the same things simultaneously). I''m able to test
the logging code since the check compares both the remote address and
user-agent, so if I copy the URL with the session ID to another browser, the
check is triggered.
And are you sure that the log entries are not multiple requests from the
same client. ?

是的，我很确定。我记录了远程IP地址，我可以在日志中发现几个

的位置，其中三个或四个不同的IP（来自明显不同的

子网）已经向我发出请求相同的会话ID！


-Lauri

Yes, I''m sure about that. I log the remote IP address, and I can spot several
places in the log where three or four different IPs (from distinctly different
subnets) have made a request with the same session id!

-Lauri

这篇关于用户之间混合的会话状态ID的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！