ASP.NET Session Mix-up using StateServer (SCARY!)

Question

We store two objects in session. Somehow, one of the objects from another user got loaded into a different user\'s session. The user should have had no access to this partic

Answer 1

We ran into this exact issue in my previous company and took 3 weeks to debug it. ASP.NET was giving a user someone else's session state. It was really impossible to duplicate in a debug environment.

The fix when we found it was just something in web.config. I don't fully remember it, so I spent some time googling. I believe the issue had something to do with output caching. Take a look at this article under "Sessions and Output Caching".

http://download.microsoft.com/download/3/a/7/3a7fa450-1f33-41f7-9e6d-3aa95b5a6aea/MSDNMagazineJuly2006en-us.chm (the article is titled Keep Sites Running Smoothly By Avoiding These 10 Common ASP.NET Pitfalls by Jeff Prosise in July 2006 edition of MSDN magazine)

If that sounds like your scenario, then the fix might just be disabling the enableKernelOutputCache option in web.config.

Good luck.