Different users get the same value in .ASPXANONYMOUS

Posted by Malcolm Frexner on Stack Overflow See other posts from Stack Overflow or by Malcolm Frexner
Published on 2010-03-15T16:27:55Z Indexed on 2010/03/15 16:29 UTC
Read the original article Hit count: 508

My site allows anonymous users. I saw that under heavy load user get sometimes profile values from other users.

This happens for anonymous users.

I logged the access to profile data:

    /// <summary>
    /// 
    /// </summary>
    /// <param name="controller"></param>
    /// <returns></returns>
    public static string ProfileID(this Controller controller )
    {
        if (ApplicationConfiguration.LogProfileAccess)
        {
            StringBuilder sb = new StringBuilder();
            (from header in controller.Request.Headers.ToPairs()
                          select string.Concat(header.Key, ":", header.Value, ";")).ToList().ForEach(x => sb.Append(x));


            string log = string.Format("ip:{0} url:{1} IsAuthenticated:{2} Name:{3} AnonId:{4} header:{5}",
                                       controller.Request.UserHostAddress,
                                       controller.Request.Url.ToString(),
                                       controller.Request.IsAuthenticated,
                                       controller.User.Identity.Name,
                                       controller.Request.AnonymousID,
                                       sb);

            _log.Debug(log);
        }
        return controller.Request.IsAuthenticated ? controller.User.Identity.Name : controller.Request.AnonymousID;
    }

I can see in the log that user realy get the same cookievalue for .ASPXANONYMOUS even if they have different IP.

Just to be safe I removed dependency injection for the FormsAuthentication. I dont use OutputCaching.

My web.config has this setting for authentication:

 <anonymousIdentification enabled="true" cookieless="UseCookies" cookieName=".ASPXANONYMOUS" 
      cookieTimeout="30" cookiePath="/" cookieRequireSSL="false" cookieSlidingExpiration="true" />

  <authentication mode="Forms">
        <forms loginUrl="~/de/Account/Login" />
    </authentication>

Does anybody have an idea what else I could log or what I should have a look at?

© Stack Overflow or respective owner

Related posts about asp.net-mvc

Related posts about ASP.NET