Skip to content
Search to learn about InterSystems products and solutions, career opportunities, and more.

Alert: CSP Session ID Reuse with IIS 7+

October 28, 2014 - Alert: CSP Session ID Reuse with IIS 7+

InterSystems has discovered and corrected a defect that can result in CSP session IDs being shared by two users. More specifically, there are situations where a new user for an application will be allocated a CSP session ID that has already been allocated to, and in use by, another user. The impact of this defect is application-dependent, but one possible consequence is the incorrect display of application data belonging to the session of another user.

The defect is present in all currently released Caché, Ensemble, and HealthShare versions. It occurs only in environments with Microsoft Internet Information Server (IIS) version 7 and higher.

This fault will only occur after IIS has recycled one of its worker processes, and the likelihood of encountering this problem increases with the recycling frequency of IIS worker processes. As an example, frequent recycling of worker processes can occur in configurations where the ‘Idle Timeout’ defined for the Application Pool is set to a low value. The settings controlling the recycling of worker processes can be found in the IIS control panel (Application Pool -> [Select Application Pool] -> Advanced Settings). If the periodic recycling of worker processes is completely disabled in your IIS configuration then your installation will be unaffected by this issue, with the exception that IIS will always recycle a worker processes that either hangs or causes an unrecoverable error condition.

The correction for this defect is identified as CMT1273. It will be included in upcoming Caché, Ensemble, and HealthShare 2013.1 and 2014.1 maintenance releases, and is also available via Ad Hoc distribution from InterSystems Worldwide Response Center (WRC). If you have any questions regarding this advisory, please contact the Worldwide Response Center.

Latest Alerts & Advisories

Sign Up Today

Receive notifications on support alerts, critical issues,
fixes, and product releases.
*Required Fields
Highlighted fields are required
*Required Fields
Highlighted fields are required
By submitting this form, you give consent to receive notifications concerning support alerts, critical issues, important updates, fixes, and product releases via email. In addition, you consent to your business contact information being entered into our CRM solution that is hosted in the United States, but maintained consistent with applicable data protection laws.
**By clicking here, you give consent to be contacted for news, updates and other marketing purposes related to existing and future InterSystems products, offerings, and events.