website issuing multiple ASPSESSIONID to same client..make it stop!!!

website issuing multiple ASPSESSIONID to same client..make it stop!!!

am 05.04.2007 00:40:58 von Steve Embry

Hello-

For some reason, at a website that has been trouble free for a couple of
months, multiple ASPSESSIONID's are now being set by IIS for each client
visitor, rather than the one you'd expect.

When you first visit the site and hit a page that sets a session, the
response.write of the HTTP_COOKIE server variable looks like you'd
expect...with just the one IIS-assigned ASPSESSIONID:
HTTP_COOKIE=
ASPSESSIONIDQSADRADT=DJGKPNMACDAJEPGHHKEPFOEB

....but when you add items to your shopping basket(stored in a db, no
persistent cookies being used), then go view your order or continue shopping
and view the response.write again, it's now a string of ASPSESSIONID's like:

HTTP_COOKIE=
ASPSESSIONIDQSADRADT=DJGKPNMACDAJEPGHHKEPFOEB;
ASPSESSIONIDQSCCTBDS=NPKKPFKAPCNEEBMEKIDCPNKG;
ASPSESSIONIDSSCARBCS=JDCHGKPAOJFMKEAGIIMLGCAD

The problem manifests itself in that RANDOMLY, IIS appears to be recognizing
the user/client as one or the other of the ASPSESSIONID's in the string...in
effect, IIS no longer recognizes the user that added items to their basket a
minute ago because it is paying attention to one of the other ASPSESSIONID's
in the string which haven't got any session variables defined via
scripting....you can refresh your page a few times and it thinks you are a
different visitor with no sessions...refresh a few more times and it thinks
you're the original person with active sessions...a very frustrating issue.

The server is Windows Server 2003 and has IIS 6 on it.

I've done a lot of digging on the web for information about this phenomenon,
but nothing I've found seemed applicable ...or worked.

1. The website doesn't use frames
2. The problem occurs whether staying in http or https or crossing between
the two types of connections
3. The server is not a member of a web farm that utilizes load balancing
4. I've assured that my global.asa file has read and execute permissions for
IUSR
5. I've stubbed out everything in the Session_OnStart sub of my global.asa
file
6. I've pulled out hand-fulls of hair, cussed and gritted my teeth for
several days
...nothing works...

Any help making it stop this behavior would be greatly appreciated!!!

Thanks,
Steve

Re: website issuing multiple ASPSESSIONID to same client..make it stop!!!

am 05.04.2007 10:15:17 von Anthony Jones

"Steve Embry" wrote in message
news:5LmdndP8wdjstInbnZ2dnUVZ_u2mnZ2d@speakeasy.net...
> Hello-
>
> For some reason, at a website that has been trouble free for a couple of
> months, multiple ASPSESSIONID's are now being set by IIS for each client
> visitor, rather than the one you'd expect.
>
> When you first visit the site and hit a page that sets a session, the
> response.write of the HTTP_COOKIE server variable looks like you'd
> expect...with just the one IIS-assigned ASPSESSIONID:
> HTTP_COOKIE=
> ASPSESSIONIDQSADRADT=DJGKPNMACDAJEPGHHKEPFOEB
>
> ...but when you add items to your shopping basket(stored in a db, no
> persistent cookies being used), then go view your order or continue
shopping
> and view the response.write again, it's now a string of ASPSESSIONID's
like:
>
> HTTP_COOKIE=
> ASPSESSIONIDQSADRADT=DJGKPNMACDAJEPGHHKEPFOEB;
> ASPSESSIONIDQSCCTBDS=NPKKPFKAPCNEEBMEKIDCPNKG;
> ASPSESSIONIDSSCARBCS=JDCHGKPAOJFMKEAGIIMLGCAD
>
> The problem manifests itself in that RANDOMLY, IIS appears to be
recognizing
> the user/client as one or the other of the ASPSESSIONID's in the
string...in
> effect, IIS no longer recognizes the user that added items to their basket
a
> minute ago because it is paying attention to one of the other
ASPSESSIONID's
> in the string which haven't got any session variables defined via
> scripting....you can refresh your page a few times and it thinks you are a
> different visitor with no sessions...refresh a few more times and it
thinks
> you're the original person with active sessions...a very frustrating
issue.
>
> The server is Windows Server 2003 and has IIS 6 on it.
>
> I've done a lot of digging on the web for information about this
phenomenon,
> but nothing I've found seemed applicable ...or worked.
>
> 1. The website doesn't use frames
> 2. The problem occurs whether staying in http or https or crossing between
> the two types of connections
> 3. The server is not a member of a web farm that utilizes load balancing
> 4. I've assured that my global.asa file has read and execute permissions
for
> IUSR
> 5. I've stubbed out everything in the Session_OnStart sub of my global.asa
> file
> 6. I've pulled out hand-fulls of hair, cussed and gritted my teeth for
> several days
> ..nothing works...
>
> Any help making it stop this behavior would be greatly appreciated!!!
>
> Thanks,
> Steve

Have you looked into the event log to see if anything un-toward is
happening?
A clue is found in that the cookie name is changing. This happens when the
application is recycled.

Re: website issuing multiple ASPSESSIONID to same client..make it stop!!!

am 05.04.2007 10:15:17 von Anthony Jones

"Steve Embry" wrote in message
news:5LmdndP8wdjstInbnZ2dnUVZ_u2mnZ2d@speakeasy.net...
> Hello-
>
> For some reason, at a website that has been trouble free for a couple of
> months, multiple ASPSESSIONID's are now being set by IIS for each client
> visitor, rather than the one you'd expect.
>
> When you first visit the site and hit a page that sets a session, the
> response.write of the HTTP_COOKIE server variable looks like you'd
> expect...with just the one IIS-assigned ASPSESSIONID:
> HTTP_COOKIE=
> ASPSESSIONIDQSADRADT=DJGKPNMACDAJEPGHHKEPFOEB
>
> ...but when you add items to your shopping basket(stored in a db, no
> persistent cookies being used), then go view your order or continue
shopping
> and view the response.write again, it's now a string of ASPSESSIONID's
like:
>
> HTTP_COOKIE=
> ASPSESSIONIDQSADRADT=DJGKPNMACDAJEPGHHKEPFOEB;
> ASPSESSIONIDQSCCTBDS=NPKKPFKAPCNEEBMEKIDCPNKG;
> ASPSESSIONIDSSCARBCS=JDCHGKPAOJFMKEAGIIMLGCAD
>
> The problem manifests itself in that RANDOMLY, IIS appears to be
recognizing
> the user/client as one or the other of the ASPSESSIONID's in the
string...in
> effect, IIS no longer recognizes the user that added items to their basket
a
> minute ago because it is paying attention to one of the other
ASPSESSIONID's
> in the string which haven't got any session variables defined via
> scripting....you can refresh your page a few times and it thinks you are a
> different visitor with no sessions...refresh a few more times and it
thinks
> you're the original person with active sessions...a very frustrating
issue.
>
> The server is Windows Server 2003 and has IIS 6 on it.
>
> I've done a lot of digging on the web for information about this
phenomenon,
> but nothing I've found seemed applicable ...or worked.
>
> 1. The website doesn't use frames
> 2. The problem occurs whether staying in http or https or crossing between
> the two types of connections
> 3. The server is not a member of a web farm that utilizes load balancing
> 4. I've assured that my global.asa file has read and execute permissions
for
> IUSR
> 5. I've stubbed out everything in the Session_OnStart sub of my global.asa
> file
> 6. I've pulled out hand-fulls of hair, cussed and gritted my teeth for
> several days
> ..nothing works...
>
> Any help making it stop this behavior would be greatly appreciated!!!
>
> Thanks,
> Steve

Have you looked into the event log to see if anything un-toward is
happening?
A clue is found in that the cookie name is changing. This happens when the
application is recycled.