不同的用户获得相同的 cookie - .ASPXANONYMOUS 中的值
我的网站允许匿名用户。 我发现在重负载下,匿名用户有时会从其他用户那里获取配置文件值。
我首先删除我的 cookie,并在 cookie 值 .ASPXANONYMOUS 中获取有效的唯一值。经过几次请求后,我得到了 .ASPXANONYMOUS 的新值,该值已被其他用户使用。我在日志中看到始终有几个用户在 .ASPXANONYMOUS 中共享相同的值。
我可以在我的日志中看到,2 个或更多用户确实获得了相同的 .ASPXANONYMOUS cookie 值,即使他们具有不同的 IP。
这里是http流量。在第二张图片中,显示了正在变化的 cookie(您必须显示完整尺寸的图片才能读取日志):
可以正常工作的众多请求之一:
替代文本 http://img413.imageshack.us/img413/2711/log1.gif
然后这是一个更改 cookie 的请求 替代文本 http://img704.imageshack.us/img704/8175/log2.gif
然后使用新的 cookie
alt text http:// img704.imageshack.us/img704/3818/log3.gif
为了安全起见,我删除了依赖注入。 我不使用输出缓存。
我的 web.config 有这样的身份验证设置:
<anonymousIdentification enabled="true" cookieless="UseCookies" cookieName=".ASPXANONYMOUS"
cookieTimeout="30" cookiePath="/" cookieRequireSSL="false" cookieSlidingExpiration="true" />
<authentication mode="Forms">
<forms loginUrl="~/de/Account/Login" />
</authentication>
有人知道我还可以记录什么或者我应该看看什么吗?
更新
我现在看到我显示的http流量是完全有效的。 .ASPXANONYMOUS 中的值发生变化是因为 cookie 被刷新而发生的。该值包含 AnonymousID 和时间戳。
这不会导致用户在正常情况下在 .ASPXANONYMOUS 中具有相同的值。
真正的问题是,每当从 AnonymousIdentificationModule 设置 cookie 时,就有可能有几个用户获得此 cookie。在我的应用程序中设置 cookie 不会产生这种奇怪的副作用。
My site allows anonymous users.
I saw that under heavy load anonymous users get sometimes profile values from other users.
I first delete my cookies and get a valid unique value in the cookie value .ASPXANONYMOUS. After a couple of requests I get a new value for .ASPXANONYMOUS which is already used by another user. I see in my loggs that there are always a couple of users who share the same value in .ASPXANONYMOUS.
I can see in the my logs that 2 or more users realy get the same cookievalue for .ASPXANONYMOUS even if they have different IP.
Here is the htttp traffic. In the second image the changing cookie is shown (You have to display the image full size do be able to read the log):
One of the many requests that work ok:
alt text http://img413.imageshack.us/img413/2711/log1.gif
Then there is this one request that changes the cookie
alt text http://img704.imageshack.us/img704/8175/log2.gif
Then the new cookie is used
alt text http://img704.imageshack.us/img704/3818/log3.gif
Just to be safe I removed dependency injection.
I dont use OutputCaching.
My web.config has this setting for authentication:
<anonymousIdentification enabled="true" cookieless="UseCookies" cookieName=".ASPXANONYMOUS"
cookieTimeout="30" cookiePath="/" cookieRequireSSL="false" cookieSlidingExpiration="true" />
<authentication mode="Forms">
<forms loginUrl="~/de/Account/Login" />
</authentication>
Does anybody have an idea what else I could log or what I should have a look at?
UPDATE
I saw now that the http-traffic I showed is perfectly valid. A changing value in .ASPXANONYMOUS is something that happens because the cookie gets refreshed. The value contains AnonymousID and a Timestamp.
This does not lead to users having the same value in .ASPXANONYMOUS under normal conditions.
The problem realy is, that whenever the cokies get set from the AnonymousIdentificationModule, then there is a chance that a couple of user get this cookie. Setting a cookie in my application doesnt have this strange sideefect.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
我遇到了同样的问题,解决方案是关闭调用 SetCookie 的响应的输出缓存。以下是描述此问题的几个链接
I had the same problem and solution was to turn off output caching for the responses where you call SetCookie. Below are several links describing this
您是否在代码中声明了任何静态变量?我有这个类似的问题,并将其缩小到这一点;至少对于我的情况来说。
Are you declaring any static variables in your code at all? I had this similar issue, and narrowed it down to that; at least for my situation.