ASP.NET Session Variable Value Swapping

Question

We have been facing few session issues in our ASP.NET MVC 4.0 application hosted on IIS 7.5 and Windows Server 2008 R2. Our developers are storing some information like UserId, UserName and few other info in session.

Strangely we have been noticing a session variable (UserId) value getting swapped. Below is how we have hosted our sites.

Application A Virtual Directory
- Application A Core Virtual Directory
Application B Virtual Directory
- Application B Core Virtual Directory

All the four virtual directories are running on their own app pool and has its own config and appsettings file. Application A Virtual Directory and Application B Virtual Directory are pointed to two different folders. Where as Application A Core Virtual Directory and Application B Core Virtual Directory are pointed to the same core folder which is the complete published code folder.

Below is our session manager class through which we set and get session values. Also there is a function GetLoggedInUserId() which returns the logged in user id from session. Now the code:

public static class SessionManager
{
    public static String GetSessionKeyValue(String pKey)
    {
        return HttpContext.Current.Session[pKey] == null ? null : HttpContext.Current.Session[pKey].ToString();
    }

    public static Boolean SetSessionKeyValue(String pKey, String pValue)
    {
        HttpContext.Current.Session[pKey] = pValue;
        return true;
    }

    public static Int32 GetLoggedInUserId()
    {
        return Int32.Parse(GetSessionKeyValue(SessionKeys.UserId));
    }

    public static Int32 GetLoggedInUserId(bool byPassSessionValidation)
    {
        if (byPassSessionValidation)
        {
            return -1; //Value returned as -1 because the user is not yet logged in.
        }
        else
        {
            return GetLoggedInUserId();
        }
    }        
}

SessionKeys is another static class as below:

public static class SessionKeys
{
    public const string UserId = "UserID";
    public const string ProviderId = "ProviderId";
    public const string LocationId = "LocID";
    public const string RoleId = "RoleId";
    public const string PracticeId = "PracticeId";
    public const string UserDefaultSearchOption = "UserDefaultSearchOption";
    public const string UserName = "UserName";
    public const string UserLoginMode = "UserLoginMode";
    public const string IsRibbonMenuEnabled = "IsRibbonMenuEnabled";
    public const string BrowserName = "BrowserName";
    public const string BrowserVersion = "BrowserVersion";
}

All our application databases have some common logins with different user id assigned. For example an user with user login as loginA will be present in Users table across all databases with diff user id assigned. When two different applications are opened in browser and when loginA logs in, I see that randomly once in two weeks, the logged in user id value is getting swapped and application shows different user details instead of the logged in user name.

Can some one help us to find out what's going wrong? Thanks in advance.

You could take a look at the answer I posted to another question: stackoverflow.com/a/40916666/1864395 — Sander_P, Dec 05 '16 at 12:18
Possible duplicate of [Asp.net Sessions Getting Crossed / Mixed Up](http://stackoverflow.com/questions/5574388/asp-net-sessions-getting-crossed-mixed-up) — Sander_P, Dec 15 '16 at 13:59

ASP.NET Session Variable Value Swapping

0 Answers0