IIS: setting multi-user or different sessions

Question

Hello!

I have a dynamically generated grid (ASPxGridView) to which I connect the dynamically generated source (DataTable).
I store the source in the viewState of the page before writing it to the database.
My problem is that when different users connect to the page, the ViewState (or Session) for them is the same and the information written to the database (source DataTable) may come from the wrong user from whom it was expected. The page address is the same for all users.
Can you suggest how best to keep the source in memory so that it is separate for users and for each new page tab in the browser? Or how to configure IIS, or maybe the web.config configuration file, so that the session for each user is separate?

Product: ASPxGridView (DevExpress 20.1.3), IIS 10, ASP.NET WebForms, MS SQL Server 2019
Operating System: Windows 10 x64
IDE: Microsoft Visual Studio 2019

I will be grateful for any help, thank you.

Answer 1

ViewState is a hidden field in the current page and not shared with other users. Session is server memory unlocked by a key in a cookie which also belongs to the current user and is not shared. It sounds like you have a static variable which is shared by all web application users. I can't be absolutely sure since we cannot see the source code but what you describe can certainly be caused by a static variable.

I think you want to cache data by user. There are several approaches. The community needs to know more about your requirements and how the application is intended to work. Session and ViewState are solid approaches depending on your needs. ViewState exists only on the current page and persists between post backs. Refreshing the page from the address bar or following a link will clear ViewState. Session stays with the user as long the users Session has not expired.

Another option is page caching which is covered on the docs. You get to control how pages are cached which if you are not careful can leak into another user's context.

Answer 2

Session is per user in ASP.NET, provided you set it up. A full discussion of where data can be stored is defined in the docs. Starting around ASP.NET 2 I believe it would not automatically create session unless you also ensured the Session_Start is defined in the global.asax otherwise it won't create it until you first use it which can cause problems.

Session ID is auto-generated when ASP.NET detects a new session. That ID is, by default, stored as part of the hidden data sent to the client. The client has to send that data back in order for ASP.NET to find the session data. This is normally handled automatically when you're using Webform's postback logic. You can confirm that each user has a unique session if you feel something isn't right.

Based upon your comment it sounds like you are trying to store viewstate in a database and that isn't going to work. For security reasons viewstate is encrypted by default and it is temporal anyway. Storing viewstate itself anywhere doesn't make any sense. If you want to improve perf, at the cost of memory, then use Session (for per user) or Cache (for per application).

So, in summary, session will work correctly per user. You don't need to do anything. However any data you store in a database is probably shared across users. So don't store any data in DB that is per user that isn't tied to a unique identifier for the user. Please provide code where you're seeing users getting other users' data.