Mixed sessions with Classic ASP on IIS 7.5 and Windows 2008 R2 64 bit
- by Marcin
Recently had an issues with a server upgrade from IIS 6 on Windows 2003 to IIS 7.5 on Windows 2008 R2 64 bit.
We have a number of websites running on Classic ASP. All the sites sit under a particular site, e.g. www.example.com/foo and www.example.com/foobar.
On IIS 6 each site was set up as a virtual directory and things worked fine. Since moving to the new set up, a lot of websites seem to have mixed Sessions. To be clear, this is not a app pool recycling issue; rather the sessions are populated with information when the user hits the site and while browsing they get sessions from different sites.
We've determined this based on
- a few customers called up and reported having their shopping cart with items with names of items belonging to a different site
- also our own testing showed that some queries being run would try to bring products in from a different site
We've tried
- disabling dynamic caching
- converting each site to be a virtual application (if I understand correctly, the virtual directory/application concepts were changed/refined somewhat in IIS 7 although to be honest, I'm not clear what the difference is)
- various application pool changes (using .NET 2 framework), classic and integrated modes, changing the Process model to NetworkIdentity), all to no avail.
The only thing we haven't tried is changing it to run as a 32 bit application.
We're not using http only cookies, so when I open up a browser and type
document.cookie
into the dev console in Firefox/Chrome/IE that there will be multiple ASPSESSIONID=... values whereas previously I believe there was only one.
Finally, we use server side JScript for the classic ASP pages, not VBScript, so we have code similar to the below.
//the user's login account as a jscript object
Session("user") = { email : "[email protected]", id : 123 };
and if we execute a line of code like below:
Response.Write( typeof(Session("user")) );
When things are running correctly, we get "object" - as expected.
When the Session gets trashed, the output is "unknown" and we are also unable to access the fields within the JScript object (e.g. the .email or .id fields).
Much appreciated if anyone can provide any pointers about how to resolve this, everything on google seems to point to different issues.
