ASP.NET and non-unique Session IDs
-
Can anyone coroborate a mad client of mine who swears that MS themselves say that Session IDs can sometimes not be unique between active visitors to a web-app?
Session.SessionID<--- that one I can maybe understand problems creeping in when IIS is being hammered by hundres of thousands of visitors, but this site in question is used by at most three people at a time. thanks regards, Paul Watson Bluegrass Cape Town, South Africa The greatest thing you'll ever learn is just to love, and to be loved in return - Moulin Rouge Michael P Butler wrote: Some people fantasise about "real people", others about celebs -
Can anyone coroborate a mad client of mine who swears that MS themselves say that Session IDs can sometimes not be unique between active visitors to a web-app?
Session.SessionID<--- that one I can maybe understand problems creeping in when IIS is being hammered by hundres of thousands of visitors, but this site in question is used by at most three people at a time. thanks regards, Paul Watson Bluegrass Cape Town, South Africa The greatest thing you'll ever learn is just to love, and to be loved in return - Moulin Rouge Michael P Butler wrote: Some people fantasise about "real people", others about celebsThe only thing I'm aware of is this little bit from MSDN You should not use the SessionID property to generate primary key values for a database application. This is because if the Web server is restarted, some SessionID values may be the same as those generated before the server was stopped. Instead, you should use an auto-increment column data type, such as IDENTITY with Microsoft® SQL Server, or COUNTER with Microsoft® Access. which makes sense, but it wouldn't make sense to not have unique session id's whilst the server was running. Unless it's a bug of course. Michael :-) Logic, my dear Zoe, merely enables one to be wrong with authority. - The Doctor
-
Can anyone coroborate a mad client of mine who swears that MS themselves say that Session IDs can sometimes not be unique between active visitors to a web-app?
Session.SessionID<--- that one I can maybe understand problems creeping in when IIS is being hammered by hundres of thousands of visitors, but this site in question is used by at most three people at a time. thanks regards, Paul Watson Bluegrass Cape Town, South Africa The greatest thing you'll ever learn is just to love, and to be loved in return - Moulin Rouge Michael P Butler wrote: Some people fantasise about "real people", others about celebsWith the SessionID being a 32bit number it's more likely to issue a duplicate than say a 128bit, but still ultra-unlikely. The only issues I've ever heard of regarding ASP Sessions are the session cookie hashes being sniffed over the network.
-
The only thing I'm aware of is this little bit from MSDN You should not use the SessionID property to generate primary key values for a database application. This is because if the Web server is restarted, some SessionID values may be the same as those generated before the server was stopped. Instead, you should use an auto-increment column data type, such as IDENTITY with Microsoft® SQL Server, or COUNTER with Microsoft® Access. which makes sense, but it wouldn't make sense to not have unique session id's whilst the server was running. Unless it's a bug of course. Michael :-) Logic, my dear Zoe, merely enables one to be wrong with authority. - The Doctor
Michael P Butler wrote: Unless it's a bug of course Thanks Michael, that is the only info I have found on the issue as well. As for the bug bit, that is what the client is ranting and raving about. We used .NET, but I hardly think even MS would have created a system like ASP.NET which results in non-unique SessionIDs on a low-load app. I can get 10 000 users at once may cause ASP.NET to drop it's pants, but not 3. Thanks. I referred to you as a "professional colleague" in my letter to the client :-D regards, Paul Watson Bluegrass Cape Town, South Africa The greatest thing you'll ever learn is just to love, and to be loved in return - Moulin Rouge Michael P Butler wrote: Some people fantasise about "real people", others about celebs
-
With the SessionID being a 32bit number it's more likely to issue a duplicate than say a 128bit, but still ultra-unlikely. The only issues I've ever heard of regarding ASP Sessions are the session cookie hashes being sniffed over the network.
Chris Rickard wrote: but still ultra-unlikely. Thanks "professional colleague"* :-D * read the reply to Michael above regards, Paul Watson Bluegrass Cape Town, South Africa The greatest thing you'll ever learn is just to love, and to be loved in return - Moulin Rouge Michael P Butler wrote: Some people fantasise about "real people", others about celebs
-
Michael P Butler wrote: Unless it's a bug of course Thanks Michael, that is the only info I have found on the issue as well. As for the bug bit, that is what the client is ranting and raving about. We used .NET, but I hardly think even MS would have created a system like ASP.NET which results in non-unique SessionIDs on a low-load app. I can get 10 000 users at once may cause ASP.NET to drop it's pants, but not 3. Thanks. I referred to you as a "professional colleague" in my letter to the client :-D regards, Paul Watson Bluegrass Cape Town, South Africa The greatest thing you'll ever learn is just to love, and to be loved in return - Moulin Rouge Michael P Butler wrote: Some people fantasise about "real people", others about celebs
Paul Watson wrote: I referred to you as a "professional colleague" in my letter to the client LOL. I've been called a lot of things in my time but never that ;-) Michael :-) Logic, my dear Zoe, merely enables one to be wrong with authority. - The Doctor
-
Can anyone coroborate a mad client of mine who swears that MS themselves say that Session IDs can sometimes not be unique between active visitors to a web-app?
Session.SessionID<--- that one I can maybe understand problems creeping in when IIS is being hammered by hundres of thousands of visitors, but this site in question is used by at most three people at a time. thanks regards, Paul Watson Bluegrass Cape Town, South Africa The greatest thing you'll ever learn is just to love, and to be loved in return - Moulin Rouge Michael P Butler wrote: Some people fantasise about "real people", others about celebsI've seen it that when cookies are disabled on the client browser a new sessionid is generated for each page visit.
-
I've seen it that when cookies are disabled on the client browser a new sessionid is generated for each page visit.
I haven't used ASP.NET, but with ASP the Session object relies heavily on cookies to operate. So, this could be a logical conclusion, but personally I haven't seen it happen yet. If you do have any more info about this, could you please let me know as I am in the middle of rapping up a web app written in ASP that uses this? Jeremy L. Falcon Homepage : Sonork = 100.16311
"Victims falling under chains ~ You hear them crying dying pains The fist of terrors breaking through ~ Now there's nothing you can do" Song: Phantom Lord - Album: Kill 'em All - Artist: Metallica