!!! huge problem, users get sessions of other users !!! (IIS7 bug?) - Commercial Forums :: How do I... - Web, Cloud & Mobile Applications Delivery and Migration Platform

Rich web/cloud/mobile app delivery

Search Forum Home

Forum Commercial Foru... Commercial Foru... !!! huge problem, users get sessions of other users !!! (IIS7 bug?)

9/24/2009 12:46 PM

	Visualizer
665 posts

Re: !!! huge problem, users get sessions of other users !!!

Hi Ori, i did some comperhensive testing tonight.

Scenario 1

Time out screen after 5 minutes inactivity, reproducable 5 times. If i press F5 the the session is restored, i come in the application again at the page where i was before the time out. I would expect a timeout after 4 *2 + 8 = 16 minutes

Scenario 2

Returned to login screen after 2 minutes, reproducable 5 times. I would expect a timeout after 4 * 2 + 1 = 8 minutes.

So now im totatly lost and don't understand it anymore, or do i still misunderstand these settings???

What i want is that the user returns to the login screen after 8 minutes, i guess that shouldn't be to difficult :)

9/24/2009 3:15 PM

	palli
11189 posts

Re: !!! huge problem, users get sessions of other users !!!

Hi Tom,

First, about the ThreadSuspend, you should take a look at the Wiki here.

About your scenarios. Not so sure about Scenario 1. You sure you didn't have any settings in code for HttpContext.Session.Timeout ?

Scenario 2 is correct. Session times out after 1 minute, but no request is sent until the KeepConnectedInterwal is reached, and that's when you get redirected to the logon screen. Nothing actually happens at the client when the session times out. Just on the server.

To automatically return the user to the logon screen after 8 minutes you could do that by having a session timeout of 7 minutes, KeepConnectedInterwal at 8 minutes ( 8 * 60 * 1000 in the setting), and KeepConnectedLimitation must be at least 2, taking into account that you might loose those KeepConnected requests from time to time, so make sure they are at least two. But, you could as well have then going on indefinitely with these settings. Session should timeout during every such period.

Note however that if the user returns to his workstation after 7 minutes and before 8 minutes he will be directed to the login screen when he tries to do something on the client, as the session has allready timed out.

I do not think you can guarantee which one comes first, the KeepConnectedRequest or the timing out of the session if you set them both to 8 minutes.

Hope this clarifies,

Palli

Páll Björnsson - Visual WebGui support team - Email: support@visualwebgui.com

9/24/2009 4:08 PM

	palli
11189 posts

Re: !!! huge problem, users get sessions of other users !!!

Hi Again Tom,

About your "session conflicts".... don't know if you did mention it, but for the record, those two users you are talking about, they are on a different workstations, right ?

You might find some interesting material in this article here.

And lastly, following the ThreadSuspend info on the Wiki, I think it's worth the try to follow Joe's advice and abandon the session, as well as setting IsLoggedOn to False. That should ensure disposal and recreation of the session for sure.

There might also be another possible reason for this, and this keeps bugging me, as all my searches (like my first comment here) turn towards caching. Here is another user that does have similar effects and his results are: "Output caching on dynamic content - disable it". Don't know how your IIS7 is set up as for Output Caching, but as a follow up on this, here and here are two articles on output caching.

Hope this helps,

Palli

Páll Björnsson - Visual WebGui support team - Email: support@visualwebgui.com

9/25/2009 12:25 AM

	Visualizer
665 posts

Re: !!! huge problem, users get sessions of other users !!!

Modified By Visualizer on 9/25/2009 2:28:10 AM)

<system.webServer>
    <handlers>
      <add name="WGX_64" path="*.wgx" verb="*" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework64\v2.0.50727\aspnet_isapi.dll" resourceType="Unspecified" preCondition="classicMode,runtimeVersionv2.0,bitness64" />
      <add name="WGX" path="*.wgx" verb="*" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll" resourceType="Unspecified" preCondition="classicMode,runtimeVersionv2.0,bitness32" />
    </handlers>
    <caching>
      <profiles>
        <add extension=".wgx" policy="DontCache" kernelCachePolicy="CacheUntilChange" />
      </profiles>
    </caching>
</system.webServer>

Tnx for all the answers! I'm going to study them. and implementing the ThreadSuspend.

Those two users were on diffrent workstations that's what is the most scarry part....

I guess caching is turned off in the web.config. but i will also study that one.

9/25/2009 1:15 AM

	Visualizer
665 posts

Re: !!! huge problem, users get sessions of other users !!!

We have implemented the thread susspend but i guess it doesn't behave like it should...

just after the 2nd F5 press the ThreadSusspend is triggerd
opening three window tabs with the same url, just after closing two tabs the session is killed, i can see because the first tab is going to the login page
closing the browser is not stopping in the ThreadSuspend
changing the url also not

From the first two points it looks like the action should occur two times before its going to the ThreadSusspend, does this make sense...?