I have a webApp running on IIS 7.

We are seeing sessions assigned to two IP addreses.

It's not just a case of the user unplugging his modem, resetting his IP, because we are seeing it far too often, and at least one case we know of a user actually ended up with the information from a different user in his account.

In a log that shows some of the session information for each IP address I found the session itself associated with both IP addresses, not just the session variables, but even the session ID.

I ran a whoIs on a few of the pairs of IPs that have had the session switch and in each pair either the net name was the same, or at least one of the name server.

Can anyone please tell me what could cause a session to do this?

Are you using ASP.Net session or have you rolled your own? 

Session is driven by cookie or query string if cookieless="true" which are HTTP items.  HTTP runs on TCP, TCP runs on IP.  So, Session and IP really have nothing to do with each other or I should say, Session knows nothing about IP address and IP knows nothing of Session.  How are you seeing Sessions associated with IPs? 

Based on protocol lesson above, one explanation is that the user requests your page and establishes a session.  User associates with another network, wireless, VPN, etc, but the browser keeps the session (because browser and HTTP don't care about IP).

I know the Session and IP aren't connected. I already considered the possibility of the user unplugging his modem, or some other action that can cause a reset of the IP.

"It's not just a case of the user unplugging his modem, resetting his IP, because we are seeing it far too often, and at least one case we know of a user actually ended up with the information from a different user in his account." 

The case where the user saw the wrong data, the data he saw was from a user in a different state.

To find out which session is associated with which IP, On every page request in the onInit of my master page I write to a log the IP associated with the request, the IP stored in the sessionVariable, and the Session ID. From this I see it's not just the sessionVariables or the data I'm storing in them that are getting crossed, but the session IDs and therefore, the sessions themselves.

"Are you using ASP.Net session or have you rolled your own?" 

lionscub:

I know the Session and IP aren't connected. I already considered the possibility of the user unplugging his modem, or some other action that can cause a reset of the IP.

...and don't forget network address translation.  If you know they aren't connected then perhaps you should look at the code you are using to "touch" session.  You may have a bug in your data access code or in your data schema itself.

lionscub:

To find out which session is associated with which IP, On every page request in the onInit of my master page I write to a log the IP associated with the request, the IP stored in the sessionVariable, and the Session ID. From this I see it's not just the sessionVariables or the data I'm storing in them that are getting crossed, but the session IDs and therefore, the sessions themselves.

Since we know they aren't connected, then storing IP in the session is unreliable, agreed?  If you are saying that Session["SessionId"] != Session.SessionId (after having stored the SessionId in Session at some point prior) then I think you should take another look (or fix your handrolled session code )

Ah, I forgot to answer that one, sorry. We are using  ASP.Net sessions.

The purpose of storin the IP in the session was just to verify that the session variables are indeed being crossed over and it gives me a reference point to be able to go back and pull up the specific log for the two IPs involved in each incedent. The logs are broken up by Request.ID.

I'll add now the sessionID to a session variable and compare that.

I thought you were already doing that!

I would save your effort, because Session["SessionID"] will always be equal to Session.SessionId.  (Or I will be shorting MSFT asap)

You have a bug in your code that is not related to ASP.Net Session.

Remember that Web Server is multi-threaded and make sure you are handling concurrency on your database with proper design. 

Maybe you could post some code related to the data your are seeing get "crossed"

First of all, thanks for your help on this. It's driving me nuts.

The simplest exampel is the IP address. 

This function checks if it is the same IP, and if the sessionVariable is empty fills it.

private void CheckIPs()
{
    if (Session[SessionVariables.IP.ToString()] != null)
    {
        if (Session[SessionVariables.IP.ToString()].ToString() != Request.ServerVariables["REMOTE_ADDR"])
        {
            string errorMessage = "The IP address in the session does not match the one in the request:" + Environment.NewLine +
                "Session IP: " + Session[SessionVariables.IP.ToString()].ToString() + Environment.NewLine +
                "Request IP: " + Request.ServerVariables["REMOTE_ADDR"] + Environment.NewLine;
    
            Logger.Log("ERROR - " + errorMessage);
    
            //clear out the session and send him back to the home page
            Session.Abandon();
            Session.Clear();
            Response.Redirect("~/Default.aspx");
        }
    }
    else
    {
        Session[SessionVariables.IP.ToString()] = Request.ServerVariables["REMOTE_ADDR"];
}

In this function is aclled from the OnInit method of the master page. It takes in the request object, session object, and a
logFileName and it logs some session details into a log specifed by the Request "REMOTE_ADDR".

public static void Log(System.Web.HttpRequest request, System.Web.SessionState.HttpSessionState session,
    string filename)
{

    using (StreamWriter sw = new StreamWriter(filename, true))
    {
        sw.WriteLine("==========" + DateTime.Now.ToString() + "===========");
        sw.WriteLine("Session ID: " + session.SessionID);
        sw.WriteLine("Request IP: " + request.ServerVariables["REMOTE_ADDR"]);
        if (session[SessionVariables.IP.ToString()] != null)
        {
            sw.WriteLine("Session IP: " + session[SessionVariables.IP.ToString()].ToString());
        }
        
        sw.Flush();
        sw.Close();
    }
}

These are the only lines of code that touch the IP session variable, or the SessionID, both of which can be ocassionaly be fodn in logs with different request.ServerVariables["REMOTE_ADDR"].

New information:

It is not that the session is reassigned to the second computer, but copied there. Once the problem is detected the webApp clears and abandons the session, forcing the second user to the home page. I see in the log that the first user still has the ability to continue working without any issue. 

lionscub:

It is not that the session is reassigned to the second computer, but copied there.

What specifically do you think is copied? 

I thought we already agreed that using IP address to track session is useless?  This code isn't helping you.  In some infrastructure setups all requests would be coming from the same IP address (an internal one).

Please show the code touching session values/objects that you think are being leaked between sessions

The entire session, sessionVariable, and sessionID appear to be duplicated.

We did agree not to use the IP for tracking, and I'm not. It's just one of the values I store in a sessionVariable that is being copied, and it is the one that I touch the least, so it is the best example of a sessionVariable that is being copied. There is no code pulling it from a cached or static value. It just pulls from the request and stores in the session. After that it is only compared to. You could rename it foo for the purpose of this conversation, it doesn't make a difference.

The key is that in the log I show all the information from the session including the sessionID and sessionVariable in another user's log. I know it is two seperate users because after clearing and abandoning the session from the second user, the first is able to continue his session.

I finally found the answer. It's an issue with IIS7. Read more here:  http://lionsden.co.il/codeden/?p=446

Lionscub,

Thank you for taking the time to post the solution to your problem.  I am sure, in the future, it will help many people.

Thanks again.