I have and ASP.NET MVC 5 application where I use the ASP.NET Session to store some objects. By default the session mode was InProc and very soon I noticed that these objects started to intermittently disappear from the session. Apparently something was restarting the app_pool so the whole session was getting cleared. I switched the session mode to StateServer (out of process - ASP.NET State Service) thinking that this will solve my problem completely. What really happened was the objects that I put into the session still disappear, but only less frequently. Apparently StateServer session mode is resistant to app_pool restart, but not resistant to some other things.
So my question is: What could be these other things? What can be causing the ASP.NET Session to clear when the mode is StateServer (stored outside of IIS)?
Related
I am working on developing MVC5 application.
I have used session to store user data.
Below is the code which i am using to store session data
if (Session["UserData"] == null)
{
Session["UserData"] = _objLoginSession;
}
I have also increased Session Timeout in web.config, which is as below
<sessionState mode="InProc" timeout="60">
</sessionState>
My authentication mode is also none
<authentication mode="None" />
But when i run my application, it expires with in 1 - 2 minutes only.
Can anyone please guide me on this?
One reason why ASP.NET session might expire that comes to mind is this: session data is kept in memory since you specified InProc mode, so if you recompile your application in Visual Studio or for some reason your application is restarted you will lose session data. And there are plenty of reasons why your application might get restarted by the web server. Things like changing web.config or some files in the bin folder or your computer starts running on low memory.
All those reasons indicate that you should absolutely never (except while developing) keep session data in memory (InProc).
I have an ASP.NET MVC 4 application that is exhibiting session management problems.
I'm using the Session to track the logged in user. I have a custom action filter that checks a user is logged in and, if not, redirects to the log in page.
This generally works fine. However, I have a problem where a new session is getting created during a certain request. The session ID is the same, but the Session.IsNewSession property shows it's a new session - and the session contents have gone.
The action where is happens is an async action (using the async/await features in .NET 4.5). I don't manipulate the session in the thread that is invoked with the await keyword. When the await operation completes, I then do a RedirectToAction to display the results of the operation.
When I check the session, just before executing the action I've redirected it to - it has the custom access attribute on it - that's when I find a new session has been created (so the authentication fails and I'm return to the login page).
I use RedirectToAction at numerous points in the application, so that can't be the issue (or at least the only issue). Could the problem be something to do with the async/await call - even though I don't use or need the session within the code that is invoked by the await?
Is returning the ASP.NET thread to the pool and getting it back invalidating the session? If so, what's the solution? Can I save and restore the session across the await? Or will I have to implement some custom logic that records that the user was logged in in my database, for example?
Turns out that the problem was being caused by a Win32 DLL I'm using that was "touching" (i.e. changing the timestamp on) a config file. This was causing the web app to be reloaded at that point - thus invalidating the session.
I got this behavior when the green arrow at the top of Visual Studio Professional 2017 was set to "IIS Express". When I changed it to "IIS Express (Google Chrome)" my session variables quit disappearing every time I called RedirectToAction. I read in one of the posts that it could be related to the browser cookies.
I had the same issue like this guy. Because I am lucky, his solution also worked for me.
But I think it's a bit dirty and I was wondering if there isn't a better one.
I've set up this configuration on IIS, but the cookies will always expire when the user closes her browser (if I don't use he "cookie hack")
Any Ideas?
EDIT: To clearify: It not the Server side session that is lost, it's only the "ASP.NET_SessionId" cookie lifetime, which is incorrect.
EDIT2: After some Research, I was wondering when the ASP.NET_SessionId cookie is actually set. If I delete it (using Firefox) and refreshing the page (even several times) a new one won't appear ... What's going on here?
EDIT3: I just found out, that the session id cookie will be set if I put something into the session, so that question (EDIT2) is off.
The session cookie will exire as soon as possible for security reasons. One should not extent it's lifetime due to session hijacking.
If you need "the old session back", then use ASP.NET authentication and generate a new session after the users comes back to the site. This will safe memory and also increase overall security.
I've seen some explanations of these, but nothing that really compares where they start, end, or overlap, or good examples of their use.
What is the life span of each of the following data collections? And am I missing any?
Application
Session
ViewData
TempData
application: as long as your application is running. your application may be automatically shutdown and restarted by the server for various reasons
session: as long as the user is actively using your site. this is generally determined by cookies that ASP.NET sends down to give each user a unique ID that expires after a while. there are lots of ways to customize & tweak this to meet various needs
viewdata: as long as the current request is being processed. this is used for sending data from a controller to a view for immediate rendering and thus not persisted
tempdata: until the value is read back out OR until the end of processing the next request in the session OR when the session ends/expires - whichever is sooner. this is meant to be used for moving data from one controller to another when you are issuing a Redirect
Application : This get initiated at the time when an application start and end when the application stops the execution.If user leaves the application domain or application gets restarted then also the application based data is lost.
Session : This is application based storage. This ends when user leaves the current request or the session get expired. It can be stored in several modes like application cookie or client side cookie.
ViewBag & ViewData : This storage method hold the data for the current request. It transport the data between view and controller.
TempData : Lifespan of this storage type depends on, at which request the Tempdata is read. Once it is read by program it gets destroyed. But we can increase its lifespan using peek or keep methods.
I am currently experiencing a strange issue with our users being logged out. I haven't been able to reproduce it explicitly.
The Rails application is using the default CookieStore.
My initial hypothesis is that somehow the session data within the cookie, or even the cookie itself is being destroyed. This may be either from a user clearing browser data, or something within the system that has not been caught.
As of now, the authentication system appears to be functioning as intended (Authlogic), and we are not experiencing the issue wide-spread in other components of the application.
I am considering using ActiveRecordStore to see if the problem is resolved. My understanding is the session data would be stored within the database, and if a cookie was being removed - the user would not get logged out.
Are there many known pros/cons to using CookieStore vs ActiveRecordStore?
Why is CookieStore the default when creating a Rails application, and not ActiveRecordStore?
I can answer your last two questions.
You should not use the cookie store if you're storing sensitive data in the session because you want such data to be on the server-side and not on the client.
The cookie store is the default because Rails is giving you a strong hint that you should not be storing lots of data in the session, by virtue of the fact that cookie storage is limited to 4 KB.
I think CookieStore is the default because it is simple. It doesn't require a database table.
CookieStore is not as secure as ActiveRecordStore. With CookieStore, intercepted cookies will give access to a valid session forever, even if you create a new one. With ActiveRecordStore, you can invalidate a session by removing it from the database.
See this blog post: http://www.bryanrite.com/ruby-on-rails-cookiestore-security-concerns-lifetime-pass/