SQL Server to manage ASP.NET sessions doesn't work - asp.net

I follow the direction in here How to configure SQL Server to manage ASP.NET sessions to create ASPState db.
I have 2 web application in IIS 7. In IIS web application setting, i go to "Session State" and set session state as "SQL Server" and provide connection string.
In each web application web.config, i add
<sessionState
mode="SQLServer"
allowCustomSqlDatabase="false"
sqlConnectionString="data source=server;user id=user;password=password"
cookieless="false"
timeout="7200"
/>
I create a session ,
Session["Data"] = "test"
in Web App A and go to Web App B in the same browser to print it
Response.Write(Session["Data"]);
It shows NOTHING. I can see there are data in table : ASPStateTempApplications and ASPStateTempSessions under ASPState Database. Also, i dont see any error in event log. Can anyone think anything i may do wrong?
Thanks!!

You can not get session that belongs to App-A from App-B and vice versa.
The sessions are connected with the cookies, and the cookies are different between app-a and app-b, are random made. Even if set some how the same cookies then next the database connects session with the Application ID, that are also different for each applications.
So even if you have the same database, the application id is different, and the cookies are different, and you can not get session from a to b.
The only possible way to archive that is to make your custom session code, and some how knows that you have the same use on app-A and app-B, so to connected them together.

Related

from web.config to IIS Application Pool Identities

I'm new to IIS/ASP .Net development, my application is using connection string which are declared to my web.config.
Now I read/heard that I can use IIS App Pool Identities to use instead of web.config.
Here's what I did:
I've deleted my connection string from my web.config
setup my app pool Identity property -> (Identity = ApplicationPoolIdentity)
Added my connection string declared/within the App Site Connection Strings under "Custom" like "Data Source=sql...blah;Initial Catalog=dbname;Integrated Security=False;Persist Security Info=False;User ID=MyDBUserName;Password=MyPassword;Connect Timeout=60;Encrypt=False;Current Language=English;"
It works as far as I know, but my question is, is this really how you configure it?
I was under the impression that you could use some variable (username, pass, dbname..etc), declared it on your web.config and binds it thru your app pool identities but I cannot find any article regarding that.
Thank You
You can set the user that the app-pool runs under. All that does is make the app-pool think that the user is some particular user who is logged on to the server.
This tends to NOT effect your database code, since you STILL need to tell your code what database to use. Even if your host computer and network is say using a domain controller, and you using windows logons to consume sql server. Your .net code behind will WILL need some connection string to specify the database and server anyway. And you having added that user under app-pool identify (I assume this one):
Well, now that "user" is for your file and network rights. So, that user can say be restricted to some set of folders - maybe a another server with large number of documents.
Added my connection string declared/within the App Site Connection Strings under "Custom"
Yes, and that puts the connection string in web.config - if you check the web config after doing above, you should see that string in web.config.
So, in theory, in your code, you can connect to the database server - and your app-pool user will be used, but you STILL have a connection string - what database, what server, etc. still needs to be defined (and used in your code). I mean, say desktop with windows authentication to SQL server does not get you off the hook as having a defined connection string some place to use. While the user might be running in the context of the "defined" app-pool user, you still need some place to store and eventually use some connection string. So, the fact of defining what user in app pool the code behind will run as? You still need a connection string and the connection string you use to the database would not be stored, nor come from app-pool settings anyway.

Asp.net forms authentication IIS 7.5 with multiple servers

I have a Asp.Net web application running on Windows 2008 R2 (IIS 7.5). I have two servers WWW1 and WWW2 and the DNS records are set up for round robin DNS for "www". I increased the AppPool timeout and the Session State timeout settings so users don't get logged out after 20 minutes. However I've noticed users are getting logged out randomly. I think what is happening is the user goes to www.foo.com and logs in and then afterward some time the round robin navigates them to the opposite server in the cluster (WWW1 or WWW2) where the cookie was not created and therefore prompts them for a login.
How can I get this to work and still keep my high availability solution using round robin DNS?
The issue here is each server maintains its own session state in memory and doesn't know about sesssions created on the other server.
To get around this, instead of using the default InProc session state provider you'll need to use the StateServer or SQLServer session state providers.
To do this you'll need to make sure the ASP.NET state service is running on one of your servers and then you'll need to add the following configuration item to the system.web section of your application's web.config file, replacing 'SampleStateServer' with the name of the server you are running the ASP.NET state service on:
<sessionState mode="StateServer"
stateConnectionString="tcpip=SampleStateServer:42424"
cookieless="false"
timeout="20"/>
Microsoft's documentation on this is available at http://msdn.microsoft.com/en-us/library/ms178586.aspx
Because you are running this in a web farm you'll also need to make sure the web applications on both servers are using the same encryption keys.
For this you'll need to set a machineKey entry in the web.config whic involves adding an entry like the following to the system.web section of the web.config:
<machineKey validationKey="4D0590A0E4DE163BAD0EEEB6747467D770CD5FB2EA95BF02B27787A45CA579DECB01E2A1F16563DBAB44C1C0E54C7E53D65F2A7D0FDF378F4D3702B3F2C8B165" decryptionKey="928771D7B1B8C32608F56AC428EC5902985F6FB2E6E9A78733B6EAA493FA13F5" validation="SHA1" decryption="AES" />
There are several websites which will generate keys for you. I typically use http://aspnetresources.com/tools/machineKey
If you want to use the SQLState provider instead, http://msdn.microsoft.com/en-us/library/ms178586.aspx has all the configuration information under the 'Sql Server Mode' section of the page. The setup for that is slightly more involved as you have to configure a database in which you will store the state.

Store session (asp.net) in SQL Server

If we want to store sessions in SQL Server, which table stores the sessions?
To implement ASP.NET SQL Server mode session state management, you must modify the element of your application's Web.config file as follows:
1.Set the mode attribute of the element to SQLServer to indicate that session state is stored in SQL Server.
2.Set the sqlConnectionString attribute to specify the connection string for SQL Server. For example:
sqlConnectionString="data source=MySQLServer;user id=<username>;password=<strongpassword>"
Note The user, , must have permissions to perform this operation on the database.
The modified element should appear as follows:
<sessionState
mode="SQLServer"
sqlConnectionString="data source=127.0.0.1;user id=<username>;password=<strongpassword>"
cookieless="false"
timeout="20"
/>
The question is that is there a particular table storing the sessions?
Store session in SQL Server is a vague concept.
Thanks.
You're supposed to run the ASP.Net SQL Server Registration Tool first. The tool will create the appropriate session state tables.
To use SQLServer mode, you must first be sure the ASP.NET session state database is installed on SQL Server. You can install the ASP.NET session state database using the Aspnet_regsql.exe tool.
Aspnet_regsql.exe is located at
%windir%\Microsoft.NET\Framework\v4.0.30319 ( 32 bit systems .net framework 4 )
Follow the following link to see how to add session table
How To configure SQL server to store session state
The other answers are correct in that you should use the Aspnet_regsql.exe tool to create the session database for you. But out of interest, once that is done, you can find all sessions stored in the temp sessions table.
For instance, my session database is called ASPState and the table of interest is called ASPStateTempSessions. ASP.NET calls the stored procedures to manage the sessions in this table.

Retrieve SSL session id in asp.net

Is there any way to retrieve the SSL session Id serverside in asp.net?
the short answer is no. This is an intentional limitation of IIS, so as to prevent people from taking a dependency on something that isn't dependable.
Out on the market, you will find various hardware load-balancers that will offer features like server persistence based on SSL Session ID, but they don't work very well because SSL renegotiation can happen at any time. In Internet Explorer 8, for example, a new SSL session is negotiated for every tab that is opened to a web site. You can expect similar behaviour from other multi-process browsers. So, I must stress that you should not use SSL Session ID for any kind of user identification purposes.
That said -- If you really need the SSL Session ID information for some specialized task, I recommend using Apache, mod_ssl and mod_proxy as a front-end to your IIS system. With a bit of fiddling, you could coerce mod_ssl into giving you the session ID, which you could then add to a proxied request to your IIS server as a query string parameter.... or you could store it in a database.
Tim,
Are you really "just" trying to retrieve the Session ID string or do you maybe lose all session information when switching to SSL? this would be a quite common problem, because the session on serverside is lost when using "InProc" session storage, and the session cookie on the client might be lost when not stored in a common domain.
Therefore, you should switch to state server or sql server session management in Web.config file, for example:
<sessionState mode="SQLServer"
cookieless="true"
regenerateExpiredSessionId="true"
timeout="30"
sqlConnectionString="Data Source=MySqlServer;Integrated Security=SSPI;"
stateNetworkTimeout="30" />
Beside that, I don't really know why you shouldn't be able to retrieve HttpContext.Current.Session.SessionID also in SSL mode as well.
Some MSDN Links:
MSDN: HttpSessionState.SessionID Property
MSDN: ASP.NET Session State Overview
Maybe this helps somehow.
Best regards

Can you share the session variables between two .net 2.0+ applications?

I was told this works, but...
I guess I'm just not getting this, it seems there's a hidden step I may be missing, can anyone correct this or point out my mistake? Thanks.
I have a blank solution:
- inside is two .net 2.0 web applications
1) webapp1
2) webapp2
I want them to share the same session data.
My page setups:
Application 1:
Session("value") = "this is the value"
Application 2:
If Not (Session("value") Is Nothing) Then
value = Session("value").ToString()
End If
My thought process:
1) go to services, turn on the asp.net state service
2) open the web configs in both projects: set the
< machineKey
validationKey="BFE2909A81903BB303D738555FEBC0C63EB39636F6FEFBF8005936CBF5FEB88CE327BDBD56AD70749F502FF9D5DECF575C13FA2D17CA8870ED21AD935635D4CC"
decryptionKey="2A86BF77049EBA3A2FA786325592D640D5ACD17AF8FFAC04" validation="SHA1" />
< sessionState mode="StateServer" stateConnectionString="tcpip=localhost:42424"
cookieless="false" timeout="20"/>
in both sites.
3) compile and test the site
4) become disappointed because it does not work. I never see the session from the second webapp.
You cannot share sessions between different ASP.NET applications without some custom code. What you did in web.config was to use an out of process sessions, which means that data will no longer reside into memory but into the memory of a dedicated machine. This is useful for server farms and it uses the ApplicationName to know which application the session belongs to. So basically your applications need to have the same name if you want them to share sessions. There are some dirty workarounds though.
Why do you want to share Sessions between applications? ASP.NET Session is not designed to do that.
Your proposed solution of using the same ASP.NET State Server does not work because your user will simply get 2 different session tokens, even if they use your 2 applications concurrently from the same machine, and same browser. You need to consider how Session works to understand why this is.
From MSDN:
ASP.NET session state enables you to store and retrieve values for a
user as the user navigates ASP.NET pages in a Web application. HTTP is
a stateless protocol. This means that a Web server treats each HTTP
request for a page as an independent request. The server retains no
knowledge of variable values that were used during previous requests.
ASP.NET session state identifies requests from the same browser during
a limited time window as a session, and provides a way to persist
variable values for the duration of that session.
ASP.NET Session is a metaphor for a user's current interaction with one ASP.NET application. It exists in ASP.NET to give us a place to store temporary state data between the various page requests that a user makes while using your application.
If your applications are very closely related, e.g. the user uses both at the same time, or almost the same time, you could consider merging them into a single ASP.NET application. You could deploy them into different Virtual Directories to maintain some degree of logical separation, but use only one Application in IIS.
If your applications are not that closely related, perhaps they should be sharing the same database as a means to exchange data, or using an API e.g. based on Web Services to exchange information.
They will share session data if they are in the same app pool and the session mode is set to inproc. The way that stateserver and sqlstate work is they use the root of your web address as logical boundaries.
Eg if they are both hosted on the same address and port (or 'site' in iis) but in different sibfolders then they should share session I think.
Additionally both apps must run on the same domain so that user browser use one cookie to store session id.

Resources