Everything I know about Asp.Net Session Providers I know from this MSDN page. However, at work we're using the MySql Session Provider and I'm confused about one detail: Session Expiration.
On that MSDN page, it says:
The ASPState database includes a SQL Server Agent job that
periodically (by default, every 60 seconds) calls the stored procedure
DeleteExpiredSessions to remove expired sessions.
I have a few problems with this. We're using MySql so there is no SQL Server Agent to do this. Also, there doesn't appear to be any Routines at all for our instance of the database. For the record, we do have autogenerateschema="true" so if it used Routines, I'd imagine it would have made them.
Can somebody shed some light on the MySql specifics of the Session State Store and Session Expiration?
From the source code, it looks like the MySqlSessionStateStore class takes care of it by running a timer that clears expired sessions.
Related
In my .NET application i kinda need a session provider which is persistent like Sql Server Session Provider but also provides good performance like InProc Session Provider.
So the idea that i come up with is , to keep session data in memory cache of the application but also use a background thread to store/update it at sql server database. In case, IIS application recycles or somehow the data in memory cache is lost, we will fetch session data from database into memory cache again.
I need to implement a custom session provider which works the way i explained above.However i dont know, if it is good idea or a bad one. I have searched online but there are not many custom session providers.
Any suggestions?
As a future reference, i think what you were asking is basically use the Session State with Sql Server In-Memory. Have a look to the following guide: ASP.NET Session State Provider for SQL Server In-Memory OLTP.
Cheers
I'm using the InProc session-state mode in my web application.
In order to test the client's behavior on a session loss I restarted the web server, first just iis, then the entire machine. Both actions did not lead to a session loss.
This puzzles me: The session is stored on memory, right? How can the session be retained after the machine restarted? Does IIS dump the sessions on disk on a restart? If so, where is this documented and how do I flush the sessions for testing purposes?
I'm using IIS 8 on Windows Server 2012.
EDIT: I don't know whether I actually lose the session - what I know is that my cookie is still accepted. (I don't actually use any "session", I just need to authenticate the user.) It could be that the authentication ticket is usable even after the actual session is lost, as is suggested here.
EDIT: Also look here for more information about the forms authentication cookie and what's in it.
Contrary to what I assumed, the authentication entry in the cookie isn't merely an opaque identifier of a session, but actually a encrypted username with an expiry time. It is not directly related to a session at all, and its validity is independent of the validity of any sessions.
That means that the expiry of authentication and the loss of the session are two distinct events that usually occur at different times.
Look at this and this link for more information.
Does anybody know of a way to query across all active sessions when using StateServer service in a .NET 4.0 web app?
In my scenario, I am setting a piece of session data when the user navigates to one of our partner sites. The partner site then periodically calls a service on our site which verifies if the session is still active and returns some other data.
I managed to get it working when I was initially using InProc sessions using the solutions outlined in: List all active ASP.NET Sessions, however when I switched to using StateServer service, these techniques don't work and I can't query the sessions.
Any ideas?
Many thanks
I suggest you to go through this article - Counting the Currently Active Sessions
The session state is stored in a database called ASPState. The
database includes several stored procedures and creates a couple of
tables to the TempDB database. The tables are called
ASPStateTempApplications and ASPStateTempSessions. Knowing how many
sessions are currently active is as easy as running a SELECT against
the AspStateTempSessions table. If the session is working in
StateServer mode, none of these tricks will work.
Reference:
Session State Management
The ASP.NET Sessions Active counter (NOT State Server) shows invalid number after installing .NET 3.5 SP!
Count Active Sessions in ASP.Net, some what same as the link you specified in the question.
I'm working with an asp.net application that stores most data in a database and not session. I'm wondering of the pros and cons of each and which is the better way to go. For example, you have a pretty busy site and instead of storing user specific variables in session, there is a DB table called user data and it can store all user specific data that can be accessed from any page by querying the database. Which is the better way to go, session or database?
Session (but it depends a lot of the session configuration) :
No database access, or less.
Temporary storage : you may lose the information, at least when the session ends.
Maybe some security issue, depending on where you store the session information
Not shared : you may have issues if you're using a server farm, one server may not have access to the other server session.
May not work if the client disabled the cookies.
Database :
Database traffic for each postback if you need the information on each page.
Permanent storage.
No information stored with the client (cookies...).
Shared : data accessible from any server on a web farm.
Please note that you can store Session information in database. That's why I use the word "may" in the Session part.
See here some session configuration and possibilities
Anything stored in session state will vanish when the AppDomain is reset.
You could avoid that by using an out-of-proc session state handler, but that's no better than a database.
Interesting question. If it's data that's not important across sessions (say, last page viewed) -> session. If it's data that should be persistent (say, password) -> database. The interesting case and the one you probably refer to: Data that should be persistent but is also used often (say, the username). From these, I tend to copy those values from the DB into the session that allow me to work without database access in pages with trivial tasks.
In many cases, I use Session to store temporary data about the... well... "session". In ASP.NET, session is configurable. You can use in-proc (default) which uses the server's memory. You can also configure session to use a database or a session management tool (in case server memory is a problem or you move to a cluster/farm environment).
Session is meant to be temporary. This is great when you are truly storing data about the user who is using your application at that moment. When the user leaves the app and his/her session expires, the memory is freed up. You don't have to manually clear anything out.
Session uses the server's memory. As long as you have enough memory and you're not on a server cluster, this works great. Memory is fast, so getting and setting data in session is very fast and uses zero network bandwidth.
Have said all that, in a few of my apps, I have session configured to use SQL. It's basically the same as using the database directly, but I don't have to deal with DAL... just let the framework work for you.
When we add a variable to ASP.NET Session, where are those variables actually stored on the client side?
If you are using the default session in ASP.NET then it is stored in memory inside the ASP.NET worker process. It is a server side cache, nothing at all to do with the client.
There are other session store options available such as dedicated session state machine or sql server. You can also roll your own session provider.
All explained here http://msdn.microsoft.com/en-us/library/ms972429.aspx
The client is given a cookie to identify it (ASP.NET_SessionId) but all the values are stored on the server.
If you use Firebug or Fiddler you can see this being set. You can see what the value is by using Session.SessionID.ToString()
As redsquare suggests the default configuration is to store all the values in the memory of the server (one reason to limit what you store in session) but you can also store it in sql server, state server or your own provider if you wish,
If you alter the value in the identifying cooking then it will alter who the server thinks you are when it comes to returning session variables. We use this feature to help us debug what is in users sessions.
I think also the identifying session cookie has a property called something like HttpReadOnly set so it cannot be read from javascript for security reasons.
The session is stored on the web server and not the client. ASP.NET usually stores a key to the session in a cookie and uses this to identify your session next time you contact the web server.