A nasty gotcha: ASP.NET stores the session identifier as a global cookie. This has adverse affects upon session state in circumstances such as:
- open your app in a browser window and browse to same page that carries session state
- open your app in a second browser window and browse to a different page that has noticably different session state
- return to the first browser and perform an action that relies upon the session state
You will notice that the first browser window has picked up state from the second.
This problem is not unique to ASP.NET, but affects any system that uses session cookies. Depending upon the application, it might be safer to carry the session identifier in the URL or as variables on the page.