My session variables are being lost between pages. Interestingly, this seems to be environment-specific - in our production environment, this works fine, in our test environment, we lose the session variables. This previously used to work in our test environment with the same code, which leads me to believe it's some IIS or server setting that's different.
This is an integration to SFDC where I am adding some session variables on page load. Then, after a user goes through a login flow, SFDC calls back and I try to read those session variables.
Here's how I set the session variables:
Session.Add("tenantID", tenantId);
Session.Add("clientID", tenantInfo.SalesforceKey);
Session.Add("session", session);
Session.Add("clientSecret", tenantInfo.SalesforceSecret);
Session.Add("userEmail", user.Email);
Logger.Debug("Set session tenantID to " + int)Session["tenantID"]).ToString()); // This outputs the proper value.
However, in our callback function in the same controller, when running this code, all session variables are null.
public ViewResult Callback(string code)
{
Logger.Debug("Entering callback, code:" + code);
Logger.Debug("Session vars:");
if (Session["tenantID"] == null) // This is true
Logger.Debug("tenantID: null");
if (Session["clientID"] == null) // This is true
Logger.Debug("clientID: null");
if (Session["session"] == null) // This is true
Logger.Debug("session: null");
if (Session["clientSecret"] == null) // This is true
Logger.Debug("clientSecret: null");
// etc...
}
Initially I thought session was being ended, so I added the following in Global.asax. There's no session ended log line output until well after the callback executes.
void Session_End(Object sender, EventArgs E)
{
// Clean up session resources
Logger.Info("session ended for " + (string)Session["userEmail"]);
}
void Session_Start(Object sender, EventArgs E)
{
// Clean up session resources
Logger.Info("session started.");
}
Some clues that might help here:
- I ran a fiddler to capture the initial page load and the callback, and the ASP.NET session ID was the same in both requests:
(Page Load): Cookie: ASP.NET_SessionId=j1ggxuamkc2rk3q03z2vwye1
(Callback): Cookie: ASP.NET_SessionId=j1ggxuamkc2rk3q03z2vwye1
Previously, our logger statements would output to one file, however, we use log4net, and it now seems to be creating a second file to output the callback logger statements. In production, we only see one file. If I get a session end log from the Global.asax code in the first file (associated with page load), I can read the session values. If I get a session end log in the second log file (associated with callback), the session values are null again.
My web.config does not have any sessionState element included, and this is set the same across production and test.
Thank you for your help.
Here are the IIS Session State settings for that web application:
Session State Mode settings: Set to In Process
Cookie Settings: Mode: Use Cookies
Name: ASP.NET_SessionId
Time-out: 20 minutes
Regenerate expired session ID is unchecked
Use hosting identity for impersonation is checked
Compare the settings for the application pools between the test and prod environment.
I have also similar situation where our application runs fine in server and not in local due to session variable null. If you are implementing sessionfilter in MVC, it is better to run the application in IIS Express in visual studio instead of visual studio development server. That solves our problem of session loss.
Related
We have a web application that uses SignalR for its notification mechanism.The problem is when we are browsing our web application using IE ,SignalR uses Long Polling as its transport type thus sends back requests to our web server therefore Session never expires no matter how long the browser is idle.
We were thinking that maybe we could catch the requests in Global.asax and see if they were from SingalR and set the session timeout to the remaining time (Which I don't think it's a straightforward solution).
Is there any other solution the we are missing ?
The workaround I am currently using is an IHttpModule to check if the request is a Signalr request, if so remove the authentication cookie, this will prevent the ASP.net session timeout from being reset, so if your Session Timeout is 20min and the only requests are Signalr the users session will still timeout and the user will have to login again.
public class SignalRCookieBypassModule : IHttpModule
{
public void Init(HttpApplication application)
{
application.PreSendRequestHeaders += OnPreSendRequestHeaders;
}
private bool IsSignalrRequest(string path)
{
return path.IndexOf("/signalr/", StringComparison.OrdinalIgnoreCase) > -1;
}
protected void OnPreSendRequestHeaders(object sender, EventArgs e)
{
var httpContext = ((HttpApplication)sender).Context;
if (IsSignalrRequest(httpContext.Request.Path))
{
// Remove auth cooke to avoid sliding expiration renew
httpContext.Response.Cookies.Remove(DefaultAuthenticationTypes.ApplicationCookie);
}
}
public void Dispose()
{
}
}
I feel this is a real hack solution so would love so other ideas to prevent session timeout renew when data is pushed to the client from the server, or a when javascript client polls an endpoint for data.
If you take a look at the description of the SignalR protocol I wrote a while ago you will find this:
» ping – pings the server
...
Remarks: The ping request is not really a “connection management request”. The sole purpose of this request is to keep the ASP.NET session alive. It is only sent by the the JavaScript client.
So, I guess the ping request is doing its job.
I here post #Simon Mourier's commented solution, with his approval, as a CW answer, as I find the suggested approach the most appropriate and less intrusive, as it just disables the Session for SignalR requests.
A positive side effect is that the request will be processed faster as the Session object doesn't need to be initiated and loaded.
It still uses a IHttpModule for the work, and the preferable place is likely the AcquireRequestState event (not personally tested yet though), or at an event raised earlier, before making use of the Session object.
Do note using this approach that one might need to test that the Session object is available before access any of its members or stored objects.
public class SignalRSessionBypassModule : IHttpModule
{
public void Init(HttpApplication application)
{
application.AcquireRequestState += OnAcquireRequestState;
}
private bool IsSignalrRequest(string path)
{
return path.IndexOf("/signalr/", StringComparison.OrdinalIgnoreCase) > -1;
}
protected void AcquireRequestState(object sender, EventArgs e)
{
var httpContext = ((HttpApplication)sender).Context;
if (IsSignalrRequest(httpContext.Request.Path))
{
// Run request with Session disabled
httpContext.SetSessionStateBehavior(System.Web.SessionState.SessionStateBehavior.Disabled);
}
}
public void Dispose()
{
}
}
Here is another completely different approach, simple, yet quite efficient.
Instead of relying on Session/Auth cookies to decide whether a user has timed out, use the Cache object. This have more or less no side effects and work just like if the user simply logged out.
By simply add this small snippet somewhere in the beginning of your web app code, where of course SignalR don't go, you will be able to check if the cache item is there and reinitiate it (with the same expiration time as the Session timeout is set), and if not, just do a logout and remove cookies/session variables.
if (Request.IsAuthenticated) {
if (Cache[Context.User.Identity.Name] == null) {
// Call you logout method here...,
// or just:
// - Sign out from auth;
// - Delete auth cookie
// - Remove all session vars
} else {
// Reinitiate the cache item
Cache.Insert(Context.User.Identity.Name,
"a to you usable value",
null,
DateTime.Now.AddMinutes(Session.Timeout),
Cache.NoSlidingExpiration,
CacheItemPriority.Default,
null
);
}
And within your user login method, you just add this, to create the cache item for the first time
// Insert the cache item
Cache.Insert(Context.User.Identity.Name,
"a to you usable value",
null,
DateTime.Now.AddMinutes(Session.Timeout),
Cache.NoSlidingExpiration,
CacheItemPriority.Default,
null
);
It's more stable and maintainable -in my view- to have your own "session like timeout" . Set your .NET session timeout to infinity since you'll not be using it and then create a global JavaScript counter (in your layout or master page) to track the time passing while the browser is idle (obviously setTimeout or setInterval every few seconds would do the trick). Make sure to have the counter reset on every web request (that should happen automatically since all JavaScript variables would reset). In case you have pages that depend on web services or Web API, make sure to reset your global JavaScript counter on every call. If the counter reaches your desired timeout without being reset, that means that the session is expired and you can logout the user. With this approach you'll have full control over the session lifetime which enables you to create a logout timer popup to warn the user that the session is about to expire. SignalR would perfectly fit with this approach since the JavaScript timer would keep ticking.
In my Web Application, i am getting an error. "Session state has created session ID. But It can not save it because it was already flushed by application".
I googled for this issue and found that i have to store session id in Global.asax Session_Start Event.
string id = Session.SessionID;
But it was already exist in my application. I am not sure what else is causing issue. I was not using Response.Flush() also.
Can anyone please explain about this issue & fix for it.
That happens because sometimes (depending on the web.config configuration) the SessionID is not set in the cookie when Session_Start event executes in the global asax.
You encounter this error because at somepoint in the pagelifecycle a variable is set in the session. After the request ends, ASP.NET tries to set the SessionID too, but if the Request was flused (eg. this can be done by Response.Write or AJAX itself flushes the response) this exception will be thrown.
A simple fix would be (in the global.asax file):
void Session_Start(object sender, EventArgs e)
{
// Code that runs when a new session is started
//Ensure SessionID in order to prevent the folloing exception
//when the Application Pool Recycles
//[HttpException]: Session state has created a session id, but cannot
// save it because the response was already flushed by
string sessionId = Session.SessionID;
}
I want to insert a visitor counter in my ASP site, so I've used a global.asax file to implement that. The problem is when the session ends the "AllVisitorCount" gets the default value which is set to 0 in my web.Config.
The code is:
void Session_Start(object sender, EventArgs e) {
// Code that runs when a new session is started
int allVisitorCount = 0;
if (Application["AllVisitorCount"] != null)
allVisitorCount = (int)(Application["AllVisitorCount"]);
else
Application.Add("AllVisitorCount", 0);
allVisitorCount++;
Application["AllVisitorCount"] = allVisitorCount;
}
Be sure you have slidingExpiration set to False in your web.config
"Application" is not a permanent object. It is created once your application starts (e.g the first session is started) and disposes of after your application pool times out. You can either persist your variable or simply change "Idle time-out" parameter in your AppPool (IIS=>Application Pools => your AppPool (or DefaultAppPool if you haven't defined one)=> Advanced Settings => Idle Time-out).
It's possible that your application pool is timing out with your session, thus clearing all Application variables.
Please provide more details such as: is this hosted in IIS, IIS Express, Cassini; how does the Session end (programmatically, timeout, etc.); have you placed a breakpoint on Application_End to see if the event is triggered.
I want to read session id in application error event but always get error "Session state is not available in this context". Why? The strange thing is that I have the same code in another asp.net app and everything works fine.
void Application_Error(object sender, EventArgs e)
{
var sessionId = Session.SessionID;
//skipped code
}
The session object may not be available this is dependent on when the error occured.
For example if an error occured on Begin_Request the session would not be available as it has not yet been created.
So in summary sometimes it will work sometimes not, depending on when the error occured.
Best to check the state of the session object before accesssing the session id e.g.
HttpContext context = HttpContext.Current;
if (context != null && context.Session != null) ...
check if any event missing in c# which is mapped to a control or issue in design part
Application_error can fire in situations where a session is not present, for example when the garbage collector cleans up. The source of the error may not have been a user thread.
Just check whether session is null first.
Simon
You may get this error if you are using an Out-of-Process state mode for ASP.NET state server. You need to mark any classes you wish to save to session state with the [Serializable] attribute
We would like to have the FormsCookieName of FormsCookiePath change per instance of our application. We have an application which has multiple instances on 1 server/domainname. Because of this we can only work in 1 application at the same time, since the cookies will overwrite eachother. Same for the Sessions btw.
Is there a way to dynamicly, for example in the Global.asax Application_Start, change this name? This would be usefull as we keep a license name in each application which could be used as the basis for the CookieName.
We already work with Web.config and extra files to overwrite Web.config values in external files using: <appSettings file="Web.AppSettings.Config">
But this requires manual actions which can be forgotten and are redundant since the settings can be retrieved from the database.
Thanks.
I had similar situation, I did the following. In the Application_Start, I checked to see if my cookie name needed change. This would occur after a new deployment for all applications where I have the same web.config for all.
protected void Application_Start(object sender, EventArgs e)
{
// determine unique cookie name per application
string cookieName = ...
// Get the web.config forms settings
Configuration c = WebConfigurationManager.OpenWebConfiguration("~");
AuthenticationSection auth = c.GetSection("system.web/authentication")
as AuthenticationSection;
// See if we have mismatch in web.config or in Forms cookiename
if (auth != null && auth.Forms != null &&
(auth.Forms.Name != cookieName
|| FormsAuthentication.FormsCookieName != cookieName
)
)
{
// Assign value in web.config for future restarts
auth.Forms.Name = cookieName;
// would be nice if this restarted the app, but it doesn't appear to
c.Save();
// This seems to restart the app
System.Web.HttpRuntime.UnloadAppDomain();
}
...
}
The web.config is modified on the application start and then the web app is restarted. Next time the web app comes up, cookie names are in sync and the reset code is skipped.
I have been struggling with Cookies with quite a few days. It has been an awesome learning experience.
So wanted to share the possible ways I found & discovered: There are several HACKs to modify Forms Authentication Cookie name:
You can automate the modification of cookie name under Authenticaiton secion of Web.Config file in Application_Start event in Global.asax. Thanks to Ron for sharing this. But I could not guarantee that the user whose identity would be used to run application domain have enough privileges to modify the file on disk or not. Hence I needed an improvised solution, so I devised following.
Thanks to ILSpy for letting me see inside the FormsAuthentication class, and many thanks to Reflection to let me modify the private field of a class. I used following code to modify the cookie name on run-time with following small piece of code and this worked like a charm !!!
protected void Application_Start(Object sender, EventArgs e)
{
// This will enforce that FormsAuthentication class is loaded from configuration settings for the application.
FormsAuthentication.Initialize();
// The new cookie name whatever you need can go here, I needed some value from my application setting to be prefixed so I used it.
string newCookieName = string.Format("{0}.ASPXAUTH", ConfigurationManager.AppSettings["SomeSettingThatIsUniquetoSite"]);
// Modifying underlying baking field that points to FormsAuthentication.FormsCookieName
Type type = typeof(FormsAuthentication);
System.Reflection.FieldInfo field = type.GetField("_FormsName", System.Reflection.BindingFlags.NonPublic | System.Reflection.BindingFlags.Static);
field.SetValue(null, newCookieName);
}
Suggestions, loopholes are requested as this is my first answer on this forum.
According to MSDN, the FormsAuthentication.FormsCookieName property that stores the cookie name is a read-only property. This property must be read from the web.config.
Each instance will need a separate name in the web.config. I suggest including the name of the authentication cookie in your existing change management system.