Session state being reset on every login

Question

I have an MVC application with a simple login page.

After a user has successfully been validated I populate session variables with their details ie -

System.Web.HttpContext.Current.Session["usergroup"] = Convert.ToInt32(userDetails[0]);
System.Web.HttpContext.Current.Session["userid"] = Convert.ToInt32(userDetails[1]);

I have a user class like so -

public class MyUser
    {

        public int usergroup { get; set; }
        public int userid { get; set; }

        public static readonly MyUser Default = new MyUser()
        {
            usergroup = 0,
            userid = 0
        };
    }

After the session varibales have been populated I use these to populate my MyUser variables ie -

MyUser.Default.usergroup = (Int32)System.Web.HttpContext.Current.Session["usergroup"];
MyUser.Default.userid = (Int32)System.Web.HttpContext.Current.Session["userid"];

Logging in and out, switching users works fine my dev laptop.

My issue is I have setup an IIS application on my network on a seperate testing laptop, and logged in on that laptop as User1. (where the url is localhost/MyApp)

Then to test the multiuser functionality, on the dev laptop, I logged in as User2 (where the url is http://{MY.NETWORK.IP}/MyApp).

I was able to login fine as User2 however if I go back to the testing laptop and refresh the screen User2's info is accessible and visible even though I am still logged in as User1!

My session variables are being reset every time a user (regardless of the machine) is logging in, how can I stop this from happening?

I have done a lot of reading, and seen people stopping caching by creating a rule in IIS, however this did nothing for me. Also people talking about using 2 separate browsers however again this 1. did nothing and 2 was not relevant to me as I am on 2 completely separate machines.

Does [Losing Session State](https://stackoverflow.com/a/44024416/1115360) apply? (You might be interested in the comments on the question at [Whats the best way to handle variables in multiuser asp.net site](https://stackoverflow.com/questions/69001396/whats-the-best-way-to-handle-variables-in-multiuser-asp-net-site).) — Andrew Morton, Sep 10 '21 at 15:32

Hans Keﬆing · Accepted Answer · 2021-09-13T08:51:58.063

A web application is a single application, serving multiple users.

Being a single application means that any static values are shared by all users. So when you change the properties of your public static readonly MyUser Default after a login, all users now see that same user.

If you don't want to do System.Web.HttpContext.Current.Session["usergroup"] all through your code (neither would I), then you might wrap that in some class:

public class MySession
{
   public int Usergroup
   {
      get => (int)System.Web.HttpContext.Current.Session["usergroup"];
      set => System.Web.HttpContext.Current.Session["usergroup"] = value;
   }

   // etc
}

As this doesn't store data in itself, you could even make this a static class.

Works a treat! Well explained answer. Kudos. – Ebikeneser Sep 14 '21 at 15:35 — Ebikeneser, Sep 14 '21 at 15:35

Session state being reset on every login

1 Answers1