Users are getting other user's session!

I have two .NET websites, which is setup to share sessions in-between via SQL db.

The website stores and retrieves session as using session("MY_Session").add and Session("MY_Session"). What gets stored is basically a custom class with their username and name.

The parent website is setup in IIS using DefaultAppPool and then the secondary site is setup as virtual directory application in the same pool.

I am not quite sure how it is set up on SQL for the sessions as I did not put it in.

In the web.config for both applications, it is set as follows:

sessionState mod开发者_StackOverflowe="SQLServer" 
sqlConnectionString="server=xxxxx;uid=uuuu;pwd=pppppp;Application Name=NNNNNN"/

Users are claiming that they sometimes open up their browser and go to the site and find that other people's information (from within the same organisation) is appearing...

Anyone able to tell me what I am doing wrong and what to do next please?

This could be a caching issue, if there is a proxy server involved -- make sure any personalised content is correctly flagged so that it is not shared between clients.

A header like this should improve matters:

Cache-Control: private