Greetings all,
We have recently noticed some very troubling things with our HTTPContext within our ASP.Net 4.0 web application running on IIS 7.5. We originally set our user id based upon the HTTPContext.Current object. Until sometime in February 2013, everything worked perfectly and all of our user data was secure. What we have noticed since @ February is that when we have two(or more) users signed into our site, almost at random, users are able to see each others data. By profiling the requests, we have confirmed that the requests seem to be using the wrong user id for the specific request. This only appears on one out of every 5-10 requests but its enough to cause some rather serious implications about keeping user data secure. We have also noticed that this behavior only appears to be happening for users that have an active Session and when many requests are firing at once.
We have been able to find some older information related to disabling Page-Output and Kernel-Mode caching, but we tried this and it did not resolve the issue. We have been forced to remove the reference to HTTPContext.Current in order to grab the user id and instead have reverted back to using the Session, which doesn't "feel" like a good approach.
My questions is: what changed in February? It almost seem like the threads are "confused" as to the origin of the request or something is not handling the requests properly. ANY help or guidance would be greatly appreciated.