Users seeing other users data in ASP.NET

  • Article

One of the more difficult issues to troubleshoot deal with 2 users seeing each others data when they shouldn't be able to.  ex. User1 sees User2's data.  Most of the time while troubleshooting, you find that the problem reproduces if two people submit the form at the same time from different machines.

Steps for troubleshooting:

  1. The most common cause is the use of static objects.  Search your code for static objects and ensure you are locking access to the variables to prevent two people from accessing the same values.  The following article discusses some common problems caused by statics:

    Troubleshooting ASP.NET applications with the use of static keywords
    https://support.microsoft.com/Default.aspx?id=893666

  2. Caching.  If you're caching data in the page using the Cache class or have the OutputCache directive in the page, you'll want to remove them.  Do not use caching on objects and pages that display customer sensitive data.

  3. There's also an issue in which OutputCaching on IIS 6 caches in the kernel by default which can result in multiple users getting the same cookie.  Check out KB 917072

  4. Enable IIS Logging and enable cookie logging.  You want to capture the 2 requests from the 2 users and ensure they have unique Session cookies.  If using Cookie-less session, ensure the session ID in the URL is unique.  If User1 and User2 send the same session ID, they're going to see the same data.  This typically comes down to caching as well.  Something cached the request info and resent the request User1 sent when User2 made the request.

    1. Open IIS
    2. Right-click the web site, select Properties
    3. Check Enable Logging
    4. Click Properties, then Extended Properties
    5. Check Extended Properties and be sure to check Cookies

  6. Implement logging in the app to log the variables responsible for generating the output.  If returning data from an external source, log the values you are passing to the database and the results you are getting back.  You want to ensure that the external data source is returning the correct data based on the parameters passed.

  7. Capture network traces on the client machine and the server when the problem occurs.  You're looking for the following:

    1. Did the client send the request?
    2. Did the server actually receive the request?  If not, the client got the response from some other device on the network (check Proxy servers and load balancers for caching options)
    3. If the server received the request, does it contain the same data that the client sent?  (Check this against the other user's request to see what is similar/different)
    4. What does the response look like?  Does it contain the same data the client received?  Is it the incorrect data being sent from the server?  (If the response is the same, check the code to see which variables are used and how they are populated.)