We have an old ASP.NET 2.0 web forms application running on a customers hardware that makes extensive use of the session state. The website is currently running on an old Windows 2003 web server (due to be replaced soon) and is currently configured to use SQL Server for the session state store.
We have recently discovered an issue where it appears that some session data is being swapped between sessions when different users hit the same page at the same time. These users are completely unrelated, have different session ID's and are coming from different IP addresses.
In particular there is 1 variable that is being swapped. This is an array holding a number of different pieces of information and data types (strings, integers and dates). A hangover from its ASP roots.
Both users have pushed a button on the same page generating a 2 POST requests within a few milliseconds of each other. Our logging has recorded some of the values from the session state. The response to these POST requests is a redirect to the next page in the process.
The logging has recorded the 2 GET requests 200 milliseconds apart for this next page and has recorded the session state information for these 2 requests. The session state variables look correct except for the values from this array.
These appear to have been swapped. User A is now working with the array that user B started with and vice versa.
Has anyone seen anything like this before?
The system is due to be rewritten/upgraded in the coming months we do however need a solution to this for the interim until that can be done.
Thanks Gavin
