Share via

Users seeing other users data in ASP.NET

  • Article

One of the more difficult issues to troubleshoot deal with 2 users seeing each others data when they shouldn't be able to.  ex. User1 sees User2's data.  Most of the time while troubleshooting, you find that the problem reproduces if two people submit the form at the same time from different machines.

Steps for troubleshooting:

  1. The most common cause is the use of static objects.  Search your code for static objects and ensure you are locking access to the variables to prevent two people from accessing the same values.  The following article discusses some common problems caused by statics:

    Troubleshooting ASP.NET applications with the use of static keywords
    https://support.microsoft.com/Default.aspx?id=893666

  2. Caching.  If you're caching data in the page using the Cache class or have the OutputCache directive in the page, you'll want to remove them.  Do not use caching on objects and pages that display customer sensitive data.

  3. There's also an issue in which OutputCaching on IIS 6 caches in the kernel by default which can result in multiple users getting the same cookie.  Check out KB 917072

  4. Enable IIS Logging and enable cookie logging.  You want to capture the 2 requests from the 2 users and ensure they have unique Session cookies.  If using Cookie-less session, ensure the session ID in the URL is unique.  If User1 and User2 send the same session ID, they're going to see the same data.  This typically comes down to caching as well.  Something cached the request info and resent the request User1 sent when User2 made the request.

    1. Open IIS
    2. Right-click the web site, select Properties
    3. Check Enable Logging
    4. Click Properties, then Extended Properties
    5. Check Extended Properties and be sure to check Cookies

  6. Implement logging in the app to log the variables responsible for generating the output.  If returning data from an external source, log the values you are passing to the database and the results you are getting back.  You want to ensure that the external data source is returning the correct data based on the parameters passed.

  7. Capture network traces on the client machine and the server when the problem occurs.  You're looking for the following:

    1. Did the client send the request?
    2. Did the server actually receive the request?  If not, the client got the response from some other device on the network (check Proxy servers and load balancers for caching options)
    3. If the server received the request, does it contain the same data that the client sent?  (Check this against the other user's request to see what is similar/different)
    4. What does the response look like?  Does it contain the same data the client received?  Is it the incorrect data being sent from the server?  (If the response is the same, check the code to see which variables are used and how they are populated.)

Comments

  • Anonymous
    August 16, 2006
    The comment has been removed

  • Anonymous
    September 30, 2006
    This blog entry is a continuation of the KB Article http://support.microsoft.com/?id=910447.
    Scenario...

  • Anonymous
    October 04, 2006
    This blog entry is a continuation of the KB Article http://support.microsoft.com/?id=910447. Scenario

  • Anonymous
    September 27, 2015
    Thanks for your share. Here is my blog: www.hanhtrinhtamlinh.com

  • Anonymous
    October 10, 2015
    The comment has been removed

  • Anonymous
    October 18, 2015
    Công ty luật Việt Tín hỗ trợ tư vấn pháp luật miễn phí, tư vấn luật doanh nghiệp, luật đất đai, thành lập công ty,...văn phòng luật sư hàng đầu Việt Nam: http://viettinlaw.com/

  • Anonymous
    November 03, 2015
    Hi Jerry,       tôi đã phải đối mặt với cùng một loại vấn đề và nó đã được giải quyết bằng cách loại bỏ các output cache. Tôi nghĩ rằng các bước bạn đã đề cập đến thực sự hoạt động. Một bài viết tuyệt vời mà sẽ giúp đỡ rất nhiều người dân trong tương lai tôi tin rằng nó. Cảm ơn Rudra Roy <a href="ecolife-capitol.com/">Chung cư ecolife capitol lê văn lương</a> Công ty luật Việt Tín hỗ trợ tư vấn pháp luật miễn phí, tư vấn luật doanh nghiệp, luật đất đai, thành lập công ty, văn phòng ... luật sư hàng đầu Việt N

  • Anonymous
    February 23, 2016
    chung cư flc star tower 418 quang trung - hà đông hà nội :http://www.flcstartowers.net/

  • Anonymous
    February 28, 2016
    Thanks for your share. Here is my blog Tư vấn luật Bravolaw : luatsuonline.vn

  • Anonymous
    May 05, 2016
    yes, i agree ! Implement logging in the app to log the variables responsible for generating the output. If returning data from an external source, log the values you are passing to the database and the results you are getting back. You want to ensure that the external data source is returning the correct data based on the parameters passed.