1

I originally used static variables to store some user information when a user is browsing my site. I had issues where occasionally a user would navigate somewhere and see a different users name on the page. I switched to using session variables to solve this, but the same problem occurred. I then thought making the session variable names unique in some way would solve the problem, e.g. instead of 

Session["userId"]

I changed all session variables to append the unique username of the user when they are created and referenced, so they are:

Session["userId" + Context.Identity.User.Name.ToString()]

So far I've had no reports of the issue, but is this actually going to work? Is there a simple way to protect sessions so the variables don't leak between users? I'm confident with ASP.NET code (webforms specifically) but have only encountered the session issue as more users use the site. I don't have much control over IIS settings as the site is built via AWS Elastic Beanstalk, so it's mostly default IIS settings.

Improve this question
2
  • Static variables in a web-app are problematic (as you found out), because it is one application (sharing the statics) serving multiple users. Session is designed to be user (or browser, really) specific. Are you sure you replaced all statics? Commented Sep 5, 2018 at 6:40
  • I'm fairly sure. I only had one static class that contained user properties and other temp properties related to site functionality. I replaced that with session variables throughout, and did a 'find all references' on the static object and there were none found. The site is small, the code base is small so I'm fairly confident but I'll re-check Commented Sep 5, 2018 at 22:27

2 Answers 2

Reset to default
1

This should work fine, but I suggest storing username or user profile information in cookies or local storage since as you mentioned when lot of users logged in it maintains session for them on server memory(I believe session is in-memory by default not in-proc or redis). This is not scalable as if millions of user logged in or you create load test server considerable memory will be taken by session management. Few hundred users however is not much overhead.

You can store information at user browser using sessionStorage like:

Setting value

sessionStorage.setItem("user_name", "test");

Getting Value

var userName = sessionStorage.getItem("user_name");

It can store javascript object or json too.

Cookies are old way to store info at user end :

Creating cookie

document.userCookie = "username=John Doe";

reading cookie

document.userCookie //"username=John Doe"

Forms authentication also provide encrypted & secured cookies which is maintained with session which is also good if user profile information is sensitive data.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

This is client-side storage, while the OP apparently wants to store server-side
Seems to me OP needs to store user profile doesn't constrained to server or client-side. I had same thing but when users increased I have to move it to client-side for performance, so suggested same
I have done some searching but can't find any C#/ASP.NET classes for workign with session storage? (Local). I can however find javascript references. I'm no javascript guru, so not sure how to implement this? I guess I could use cookies, but apart form system generated ones via things like OWIN middleware, I've not worked with custom cookies so I'm worried i'd persist data too long and it would screw up the site.
cookie is just a file created at client location. It is only used when you read it. It can be time bound or ever lasting one. Usually if nothing is set it deletes itself when user session is closed, so i can't see any performance issue in that. Are you using forms authenication or Oauth ? Or User profile(to be stored in cookie) have anything related to Personal Identifiable Data? Answer depends on that
0

Sorry, I can't write comments for your question, but: Same issue happed to Java developer with AWS Elastic Beanstalk: https://forums.aws.amazon.com/thread.jspa?threadID=84027 First, I suggest you try to set no-cache for your HttpResponse (temporary solution), than I suggest you try to play with your IIS proxy settings.

If it didn't help (and you're using load balancer) - refuse from using inproc settings like in this topic: User on wrong session

PS. You really don't have to make session variable names different - Session uniqueness is guaranteed by ASP.NET setting different Session_ID for each session.

Improve this answer

3 Comments

Thanks Alexey, but if that's true, why did I have this issue in the first place?
There could be many reasons for this: You're cookies got cached: blogs.msdn.microsoft.com/friis/2011/08/30/… or you use load-balancer, so your Sessions are stored in different threads and they don't know which Session_ID other thread created and it's source of Session_ID collisions - this are the most common
Hi Alexey, I am using a load balancer, but there is still only a single instance / web server behind it. Will I still see that issue with only one machine to load balance to? And if that's the case, how do I solve it? (I can enable sticky sessions on the load balancer but haven't as I didn't see the point with only one instance at all times at the moment)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.