IIS 6/.Net 2:How can user A get the user cookie for unrelated user B who is in a different session and on another box?
Question
1) user A goes to the site, creates an account, and logs in 2) user b goes to the site. Rather than having to log in, user b enters as though user b is user a. User b gets access to all of user a's data and can brows the site as user a.
Note: user b does not log in. User b just hits the site, and the site returns as if user b is already logged in as user a.
Note 2: user a and user b are on distinct computers. Also, static variables are not involved in the code.
Setup: IIS 6 .Net 2.0 OutputCache off for the pages in the site
3 answers
solution1
2 2008-11-04 18:25:14
检查您是否没有在静态(c#)或共享(VB)变量中存储任何数据。
solution2
0 ACCPTED 2008-11-04 18:13:43
This question seems quite similar to Apache/Tomcat error - wrong pages being delivered . As my answer to that question mentions, if you use session cookies, check if your Vary header is correct.
solution3
0 2008-11-04 22:29:36
From research by other team members:
Even though the authentication cookie may be in images from the portal, an authentication cookie with a ticket for David should never have been sent to Todd's browser. Also if images are cached somwhere somehow such that different users get other user's auth cookies then I assume this problem would happen fairly often and should be repeatable. However I am wondering if this is a load balanced system and if so does the load balancer cache anything?
Based on the known issue of users sharing sessions as a result of output caching with ASP.NET, IIS 6.0, and Windows 2003 Server, the problem may only be repeatable 1 out of 100,000 requests (see the 'Sessions and Output Caching' section of this article) http://msdn.microsoft.com/en-us/magazine/cc163577.aspx
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.