Code is hosted on same server with two different domain one is Internal testing(abc1.com) and External testing(abc2.com) and different app pool for them, code is same and folder structure is same.
Session lost issue only for only one domain abc2.com.
Session set from one page and after Respone.Redirect trying to access session is lost in case of External testing site only.
Any one having any clues.
How to troubleshoot issues ?
There are actually two problems here;
As #John rightfully mentioned in the comments, if the domains don't match then your sessions aren't carried over. The reason is that for sessions to work classic ASP issues a unique cookie per visitor.
Cookies are bound to a (sub)domain, if you run on two different (sub)domains the cookies set on one domain can't be read by the other domain.Therefore the session on one domain won't be matched to the other domain.
Unfortunately that still won't solve your problem completely, because each application pool in Classic ASP also creates it's own session cookie. That's why increasing processes on your application pool will also result in a messed up session scope.
So in short, sessions in classic ASP only work in the same domain using a single application pool process.
The ony way to work around this is to write your own session scope, issue your own cookies per user, and store corresponding variables in a backend of your own.
Related
I have an asp.net website running on IIS7 and have been having an issue with some users from a university suddenly losing their session. The one thing all these instances have in common is that the user's client url/host address, that they are accessing our website from, changes half way through their session. To be clear, this is what I am recording on their page access:
Request.UserHostAddress.ToString()
Session state is tracked using the standard asp.net cookie. The relevant line in web.config:
<sessionState mode="InProc" timeout="40"/>
The website doesn't use frames, and is run from a single server (i.e. not a web farm) using a single worker process (i.e. no web gardening). It only occurs periodically to a single user while other user's sessions remain open at the same time.
I've added cookies to the list of things to be logged for the site as per this article on troubleshooting Session loss. A couple of questions:
Is it possible that it is the university that is dropping the session cookies and our server isn't even receiving them? And if so, would enabling the logging of cookies pick this up?
Is it possible that IIS drops the cookies if they don't match the previous url associated with it?
The cookie keeps the connection with the session and its associate with the domain. In some cases the domain maybe called with www. in front and in some other case not - and the cookie will be lost, so an the session.
To avoid that place on web.config the domain name as
<httpCookies domain="domainname.com" .... />
with out the www. to keep the cookies with or with out it.
Now because you use InProc that is run as a service and keep the session on memory and not on a database, this service is known that is drop the session for some reasons. To avoid that you must use a database to keep your session.
Other case can be a move from https to http and if you have place the cookie only to be secure, will be lost again.
related Share session between ashx and aspx
Is it possible to share Session state between web applications on separate servers? One of the web sites is using session state to maintain user credentials/info session state, the other is using forms authentication to maintain this information. Without modifications to the website using session storage, is it possible for the website using forms auth to read/access the session state on the other server? If not, which I assume is the answer, would it be possible if they ran on the same server? (i.e. the same app pool)?
Note: Both applications are under the same domain name (one of them will be a sub-domain)
As a note, the reason this is being asked is because a client is requesting a "single sign-on" approach between two websites. We're using forms authentication and the other site (which we cannot modify at this moment) is maintaining credentials/logon information in session
ASP.NET 4
IIS 7.5
Assuming the latter, you could try something like this:
first, make sure all the appliations are running in the same domain. If not, all bets are off. I don't know if there's a simple way to configure the domain property of the session cookie yet, so you may have to do it yourself, by setting the cookie domain property to the domain:
Response.Cookies["ASP.NET_SessionId"].Domain = ".mydomain.com";
you'll need to make sure that each application is configured to use either a common state server, or a db-backed session.
please follow the link : How to share session state across subdomains
I use session objects in my web application which are traced by ASP.NET session cookie internally as we all know. So access to that cookie is essential to have access to session objects. I want my asp.net application work under http:// and http://www or any subdomain (domain is unknown to me at development time).
Can't be done. The session cookie only works for 1 domain and 1 domain only.
You could, however, write your own session management system and maybe accomplish shared session that way. I still don't think you'd be able re-use the cookie because the browser won't even send it in the first place.
After some more thought I've decided that I'm not sure. :) Perhaps if both subdomains map to the same ASP.NET application you could get share session to work. All you'd have to do is set your cookies as such:
<httpCookies domain=".maindomain.com">
If the different subdomians don't map to the same app, I think you'd definitely have to write your own session management.
Clearly, at this point you should take everything I've written with a grain of salt. I'm only leaving my answer up for you to get some ideas and so that people may comment on the correctness of it.
Why don't you leave domain field empty? That way you won't bind your cookies to some specific domain and will be able to play well whatever the domain of your site will be.
I'm storing my user details in the session variable. When some I/O operation happens the other users session also destroying. If I run the same application in the Single server environment the session is working fine.
I have tested with this code also
{meta name='test' content='Set-Cookie: ASPSESSIONID=494351627; path=/' /}
What would be the problem?
Thanks in advance.
Probably the App Pool would be restarting. This could happen every couple of minutes if there is a shared server with several sites sharing an app pool and the app pool is set to recycle if it uses up too much memory.
The only fixes for this are:
a) move onto a different hosting environment
b) use cookies to identify the user and look them up in the database (eg store an encrypted user ID in a cookie and store any related data in the database)
If you have a lot of other stuff in session memory you could consider implementing a database table just for storing session state (in classic asp you would have to roll your own - in .net this is a standard config option).
If it is a big app with a lot of reliance of session variables you would want to go for option A if possible.
We have a web application running on ASP.NET 3.5. It is viewed by the world as one URL but in reality there are multiple IIS boxes hosting the application controlled by a load balancer.
My problem is that it is a sensitive application with strict security controls around it, and that post authentication if you open another browser to the same application and log in as someone else, the second login overwrites the first logins' session id value in the cookie, and then the first window crashes.
Any idea how I can get around this?
The session ID is placed in the cookie. If another browser window is opened and starts a second session the ID in the cookie will be replaced.
Also, logins should not be controlled via the session cookie. There is a Forms Authentication cookie for that purpose which is more secure as I recall.
Most web applications only allow one session per PC. Try logging into Yahoo Mail, Amazon or Ebay twice on the same machine and you will find the same problem. So ASP.NET is pretty much designed around the idea that there is one login per PC. Although, if you have multiple browsers installed on a machine, you can generally log into apps more than once because each browser keeps its own cookie collection.
edit: You might want to try cookieless sessions, in theory they might allow multiple sessions per PC, although I haven't tried it. But cookieless sessions come with plenty of problems and limitations of their own.
In short, there may be some hacky way to do what you want to do, but it will probably be fiddly and cause other problems elsewhere, because what you are asking for goes against the grain of ASP.NET's core design.