[dba-Tech] IIS issue

Peter Brawley peter.brawley at earthlink.net
Wed Jul 2 14:40:33 CDT 2008 

Arthur

IIS 5, 6 or 7? HTTPs? .NET 2 or 3.5? SQL Server 2005? VS 2005? All IIS 
patches installed, especially the security patches?

Is session.sessionID used by the db (MSDN says you shouldn't)?

P.


Arthur Fuller wrote:
> We are having a bizarre problem, just reported recently by a couple of
> users. We have randomly been able to duplicate the problem.
>
> Scenario:
>
> 1. Web site requires login. Submit button fires a stored procedure.
> 2. You should see your data page, and I should see mine. The sproc is
> straightforward, nothing complex or magical at all.
> 3. Somehow or other, and apparently at random, the system gets confused with
> SessionID. We have two distinctly different types of problem, but both
> involving most of the same data:
>
> Scenario 1:
>     user a and b login and see user c's data (who is not logged in)
> Scenario 2: (internal test)
>     user a and b both login, then 1 second later (new window) user b logs in
> and gets user a's data.
>
> All this points (IMO) to a bug in the SessionID thing. It seems to be
> similar to the scoping of IDs in SQL, but I don't know pretty much
> everything about IIS, so I'm reaching out for ideas. The sproc  behind the
> login Submit button hasn't changed for a year or more, but the faulty
> behavior was just reported about a week ago, and then reported again, and
> then we were able to duplicate it ourselves. There's nothing in the SQL part
> of this that could cause this, IMO. Completely different user names and
> completely different passwords, but somehow the SessionIDs are getting
> confused.
>
> Has anyone any ideas for how to get to the bottom of this problem?
>
> TIA,
> Arthur
> _______________________________________________
> dba-Tech mailing list
> dba-Tech at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/dba-tech
> Website: http://www.databaseadvisors.com
> ------------------------------------------------------------------------
>
>
> No virus found in this incoming message.
> Checked by AVG. 
> Version: 8.0.134 / Virus Database: 270.4.3/1529 - Release Date: 7/1/2008 7:23 PM
>

More information about the dba-Tech mailing list