Session variable dropped .net - asp.net

I have a web application (.net VB code) that utilizes session variables to store the username (here login name) and the profile (admin/client), authentication is handeled by asp membership. The application then relies on these session variables on the load events. This application has been running fine for a couple of years. However, recently users complain about occasional error messages after logging in and attempting to load a new page that needs one of these variables. It happens most frequently Chrome, but also IE and Firefox.
Users that experience the error need to log out and clear the browsing history, after that it works again. The error is not easy to replicate - I was able to trigger it on my machine 'violently' using the 'back' button a couple of times that eventually tripped it - then I had to clear my browsing history to get the application to work again.
What might cause this to happen?
the session gets set on the load event of the 'login' page with 'Session("Type") = "Admin"' and subsequent pages check for the value of Session "Type"
I understand that I could use a cookie instead, but I chose not to for security reasons. Could this be prevented using a cookie instead? or do I need to use the membership.getuser method to get the username and then look up the values in the database? That does not seem efficient.
Ideas?

FYI, the ASP.NET Session ID is stored in a cookie that travels back and forth with each request/response. The actual session state values for a given session are not stored in cookies ... they are stored on the server only. They could be stored in memory, or in a SQL database, depending on how you've configured ASP.NET Session State.
But Session State can get destroyed for a variety of reasons. IIS might suddenly decide to restart your Application Pool, for example, in which case all your Session State would be gone.
Basically, you need to write your web app to always handle the possibility that Session State may be empty. If it is empty, then you probably need to redirect the user to the login screen to enter his credentials again.
Clearing the browsing history should have no effect, so I can't explain why that would help get past the problem.

Related

ASP.NET LoginStatus control shows "Login" even though logged in

In my ASP.NET project, I am using Forms authentication. My main.master using LoginStatus control and web.config is set up for "Forms" authentication mode.
Before I log in, the control shows the text as "Login." After I log in, the control shows the text as "Logout." This is expected. However, after clicking around on a few links within the site, the control suddenly starts showing "Login" although I am still logged in. The session is still alive as some of the pages I visit dumps some session information.
Would appreciate if something can point me in the right direction. Regards.
If you are trying to redirect after setting a Session variable using
Response.Redirect("YourPage.aspx");
this may be causing the session token to gets lost, try using the overloaded version of Redirect:Response.Redirect("~/YourPage.aspx", false);
Another problem also may be miss configuration of application pool. If the application pool is configured as a web farm or a web garden (by setting the
maximum number of worker processes to more than one) and if you're
not using the session service or SQL sessions, incoming requests will
unpredictably go to one of the worker processes, and if it's not the
one the session was created on, it will get lost.
The solutions to this is either not to use a web garden if you don't need the
performance boost, or use one of the out of process session
providers.
For more information you can check the link of the original article below: http://weblogs.asp.net/bleroy/Don_2700_t-redirect-after-setting-a-Session-variable-_2800_or-do-it-right_2900_

Why is session state lost so quickly?

We have a web application through which customers access information. It has been reported by many customers that they are logged out within 5 minutes of no activity. I believe this should only occur after the default 20 minute idle timeout, and this is the case when accessing the web app from inside our domain.
I also spent a few days troubleshooting an error in which some of the user's session data was lost between post backs about 60% of the time, causing an application error since the next page needed the data. The only resolution was a work-around in which I use an additional mechanism for caching the data between postbacks and pull the data from that cache if the session data is gone.
I have also noted that some websites that I visit which require logon credentials will also kick me out between postbacks. For example, a website for a school I take classes at requires logon credentials to their portal. At home I never have any issue, but if I access it from my work domain I often get random errors indicating that my credentials have been lost (i.e. "Unauthorized access is not permitted" after logging in and browsing to a page).
Combing the web for ideas has led me down a few paths, but most address the IIS worker process and ASP.NET and have not helped me.
Does anyone have any ideas or suggestions about how to resolve this?
this is not because of the programming problem...this is because of your host capacity...as you know session are a type of memory that is create for each user when they access to your website and it's terminated when they finish visiting...so in this case I suppose the number of site visitors has risen up,so by default when the memory become full, it kicks one session out and causes all these problems...I think the best thing to do is calling where you get your host services and ask for a service that cover sites needs
You just store your session value in to cookie so you can access that value when session terminate.. or you can use global file to manage session state..

ASP.NET Application Pool logs out user permanantely

I have the oddest situation...
On my ASP.NET website when the application pool recycles the user is logged out. This is fine. I know this is suppose to happen. But when the user logs back in and selects any link within the website, they are logged back out immediately. They consistently get logged out. I don't know what causes this and I don't know how to fix it.
The odd part is the work-around. If I log in from a different computer or from the IIS Server itself than the user that is getting logged out can log back in.
Does anyone have any ideas as to what is happening?
Standard Forms Authentication in ASP.NET is cookie-based and should not be affected by the session vanishing. But, you're probably relying on something in the session to determine whether or not the user is logged in. If you're using in-process session storage (and it sounds like you are), then your application code might act strangely if you get in a state where the Forms Authentication cookie still exists and is valid but the session information is missing. Instead of going to a different computer, try blowing away your cookies and logging in again, and I would presume that your issue is resolved.
One step is to move to out-of-process session storage (such as the ASP.NET State Server, which is simple to use with a few config changes) or to eliminate session usage entirely (by depending on values stored in cookies, though there are security implications there to consider if these values are not encrypted). Then, take a close look at how your application code handles the condition where a login cookie is set but the session data is invalid.
It's a shot in the dark based on the information provided, but hopefully it puts you or someone else on the right track.
I discovered the problem. In the Security settings of the ASP.NET Configuration each user that logs in needed to have one of the roles defined in the "Description" field. This is very odd to me be but it seemed to do the trick. Anyone know why this needs to be done?

ASP.NET Postback User Not Logged in

OK I have a problem im not sure how to handle.
I have an asp.net vb website with MSSQL on the backend. For every page, in the pre-init, it checks to see if the session("UserID") is logged in. If its logged in, it loads, if not, it brings you to the login page.
One of my pages has a textarea that someone could spend 15 minutes writing in, after they are done, they hit save and it is suppossed to upload the data from the textarea to the database, which it does if they are logged in.
Where I am running into problems, is I will be uploading new webpages to the site which kicks all users off the site and forces them to relogin.
I know it would be a security flaw to let them write to the database without loggin in.
Is there a way I can do something different like save that textarea locally to their computer? Or some other way that I am not thinking of?
What you can do is configure the session state to use Sql Server. In your web.config
<configuration>
<sessionstate
mode="sqlserver" .....
This way the session will remain active when you upload new webpages which causes the web application to restart.
Users are getting kicked off because when you deploy new pages, Host process restarts. and as you are using InProc sessions(assumption), sessions stored in memory are lost.
instead of storing sessions in memory you can store them in database. and whenever a user does a postback, check his session validity against database.
You should post or notify your users when you are going to be making site changes, and do it at a time that you don't expect many users to be on your site (like 2am on a Sunday morning). (this may be obvious, maybe not - I'm not trying to sound like a jerk :D )
That being said, you could do ajax posts every few minutes that would allow partial saving of their work so that if you DO boot them all off, they would only have a few minutes of work lost.
You could also set up a secondary service that holds your database transactions until the main database is available to be written to. Essentially have your pages send their information to a server and write it to a temp database - have that system run chron jobs that check to see if your main DB is up, and then send all of its updates when its up again.
When you update the site it essentially kills all of their sessions - I have heard that there is something you can do to preserve sessions across updates like that, but I believe its MVC3 related.
Good Luck.

Does ASP .NET Session reset after login?

EDIT
This problem seems to have strangely disappeared. There must've been something funky with my environment. I'm voting to close this question.
When a user logs in, I inflate the session with a bunch of data from the Login page code-behind. Then I redirect the user to a different page in the application. I also have some session recovery logic which re-inflates the session based on the auth ticket when the user's session expires.
What seems to be happening is that I inflate the user's session with a bunch of data from the login page, then redirect them, and the request for the page to which I redirect them doesn't seem to have the session, so the application has to re-inflate it. I don't understand this - I've looked at the cookie and the session ID is not changing, and I am not resetting the session data anywhere in the code. Is this an ASP .NET 'feauture'? I'm using ASP .NET 4.0.
Edit:
To clarify: The session is inflated during the login request (on the click even of the login button). During the next request, it doesn't appear the session is populated any longer, so I end up having to re-inflate the session. Any requests that user makes after that, the session seems to "stick" and I have the properly inflated session for subsequent requests.
To answer your question SessionState data is independent of login/logout.
There are several reasons why data might "disappear" from SessionState.
If you are using InProc SessionState on a web farm, the user may have a subsequent request be served by a different machine in the farm.
SessionState can clear if it gets too full (like a cache).
If you are using a custom SessionStateStoreProvider, it may not be saving/retrieving the SessionState properly.

Resources