I am running an ASP-based e-commerce website on a dedicated Windows 2003 Server. I have received a few customer complaints in recent weeks that concern me... apparently when these customers login, they are seeing another customers profile. I have not been able to recreate this error and the login script code hasn't changed in two years... this has only occured in the past 2 weeks.

The way my system is setup the user logs in using their email address and password - the system matches this against a record in the users table, then creates a few session variables that hold the user information (user_id, user_name, etc.) throughout their session - so, apparently some of them are being assigned another users id.

Some stats: the CPU usage is at about 20% capacity - at least 1.5 GB of RAM available at any given time - the store has 4,000 customers - gets about 1500 uniques/day and 10-12K hits/day.

Has anyone ever heard of such a thing? Any suggestions?

thanks,
g

Its definately a large problem and something that needs to be fixed urgently. I suggest you get a developer in to look at the problem. A problem of this magnitude needs first-hand attention.

Regards.

I have had multiple developers looki into this - I am one myself. As I mentioned, the login script is fine. Could this be the result of exceeding # of connections that are set in IIS (It was set to 100)? Should I be doing something to clear the vars in the Session_OnEnd sub in the global.asa? Anyone have suggestions?

I have no immediate suggestions, but, yes, I suggest you try do clean things up a bit by clearing session var's in global.asa.

i have heard of something like this on forums, but not on an e-commerce site. what happens is that the unique id thats generated is not quite unique. it overlaps with another session. you could add some additional checking into the code to verify ip address or maybe something else that could be unique. i wonder if IIS has a way to increase the uniqueness of the session and maybe thats in the connection setting that you mentioned above.

have you tried restarting the services?

Yes, have tried restarting the services... that didn't seem to help. Regarding the unique id - are you referring to duplicate session ids? The unique id that identifies the customer throughout the store is the Session("customer_id") which is set when they login... it is matched against email address and password when they login. Somehow customers are getting assigned the wrong id.