ASP.NET session switching

We have a private site for customers. Clients often tell us that they see profile of another user.

Our authentication procedure looks like this: credentials -> check the DB table -> UserId saved in Session.

As I understand, 开发者_JAVA百科the user somehow switches to another user's session. Can anyone name at least one possibility for it?

When output caching is enabled on a page, the entire HTTP response is cached, including the response headers. That means the HTTP header that sets session cookies can be cached there, too.

Be sure to disable output caching on any page that sets user-specific cookies. Note that disabling kernel mode caching isn't enough -- the entire response is also cached separately by the ASP.NET runtime.

However, you can still safely enable client side caching on those pages, if appropriate (Location="Client").

It sounds like you are saving profile data in static variables. Also, you should never implement your own authentication mechanism, but base it on the built-in asp.net forms authentication. There is already built-in support for sql server based authentication.