A potential security flaw exists in Microsoft Internet Information Server 7.0 where IIS may issue the same ASP-Session-Id to all http requested until the site’s process is recycled. This is a very serious IIS flaw which can potentially expose private data to unauthorized persons. Below is an image-link of an IIS server having issued the same ASP-Session-Id to 6 sessions. There were actually thousands of sessions that were issued the same ASP-Session-Id for this one occurrence prior to being alerted to the problem. Given the ramifications this problem can cause, you would expect that IIS would have some built in capability to unconditionally avoid this problem but apparently does not. Imagine your site visitors (customers) viewing some other customer’s private data or gaining access to what would otherwise be unauthorized functions. These site visitor could only conclude that this site’s security is flawed and not a place for him/her to do business with. My reasons for posting this information include alerting website operators using IIS of this potential problem so that they can take appropriate measures to protect their sites. Also, to alert Microsoft who in my opinion should consider this as a severe IIS flaw. With all that said. Here are the questions: 1. If there were a short list of things that IIS must unequivocally do right. Would handling sessions including not crossing them by providing the same session id to two or more site visitors be on that list? 2. Should Microsoft consider this a severe IIS flaw? Microsoft Internet Information Server 7.0 potential security flaw which exposes private data and functions to unauthorized persons. Event log @ link below: http://www.bradner.com/images/msiissecurityflawduplicatesessionids.gif

Hi, As this issue is related to IIS, I suggest discussing it in our IIS forum. http://forums.iis.net/ Tim Quan

Thanks for the information Tim.