Arthur Fuller
fuller.artful at gmail.com
Wed Jul 2 12:16:08 CDT 2008
We are having a bizarre problem, just reported recently by a couple of
users. We have randomly been able to duplicate the problem.
Scenario:
1. Web site requires login. Submit button fires a stored procedure.
2. You should see your data page, and I should see mine. The sproc is
straightforward, nothing complex or magical at all.
3. Somehow or other, and apparently at random, the system gets confused with
SessionID. We have two distinctly different types of problem, but both
involving most of the same data:
Scenario 1:
user a and b login and see user c's data (who is not logged in)
Scenario 2: (internal test)
user a and b both login, then 1 second later (new window) user b logs in
and gets user a's data.
All this points (IMO) to a bug in the SessionID thing. It seems to be
similar to the scoping of IDs in SQL, but I don't know pretty much
everything about IIS, so I'm reaching out for ideas. The sproc behind the
login Submit button hasn't changed for a year or more, but the faulty
behavior was just reported about a week ago, and then reported again, and
then we were able to duplicate it ourselves. There's nothing in the SQL part
of this that could cause this, IMO. Completely different user names and
completely different passwords, but somehow the SessionIDs are getting
confused.
Has anyone any ideas for how to get to the bottom of this problem?
TIA,
Arthur