Severe Session issues ASP.NET - asp.net

I have a kind of an ugly situation.
I have a big program that uses session to carry over data from one page to another in a CRM system build in ASP.NET 3.5 C#
The problem is that if you have two instance of this program open in the same browser and browse the same page, the sessions of course gets overridden.
As you can imagine, this is a huge issue and a huge liability for the system.
What is the right thing to do here? I use tons of AJAX, and need to pass objects from page to page, so url parameters is not really an option here.
Any suggestions?

What is your web.config sessionState configured? I think in your situation you can reduce the severity of your problem by configuring it as follows:
<configuration>
<system.web>
<sessionState mode="InProc" cookieless="true" timeout="20"/>
OR
<sessionState cookieless="true" regenerateExpiredSessionId="true" timeout="20" />
</system.web>
</configuration>
But the latter is going to mangle your URLs. You'll end up with ASP.NET inserting session IDs into your URLs, something like http://www.example.com/(S(lit3py55t21z5v55vlm25s55))/orderform.aspx. More about it here.

Related

Why does my ASPX app keep logging the user out?

This ASPX app I'm working on keeps logging me out mid-session. I tried changing this:
<sessionState mode="InProc" timeout="24" />
To
<sessionState mode="InProc" cookieless="true" timeout="1440" />
But it still times out every couple of minutes (sometimes sooner). I've never programed in ASPX before and I'm just making basic layout changes (removing three nested tables, etc.), but it's horrible how many times I have to log in to do even the simplest things.
Any clue what else might be timing me out if not the session state? I didn't write any of this...
The InProc and the session is not keep the logging authentication. This authentication is done using some other cookie that if you loose it you logged out.
There are two points to look - if you move from http to https and if you move from www. to non www. pages.
To solve that go to your web.config and check if you have setup that properties correctly (especial the domain).
<authentication mode="Forms">
<forms timeout="50" path="/" requireSSL="true" cookieless="UseCookies" domain="domain.com" />
</authentication>
Also check on roleManager and on httpCookies that you have setup the domain.

How to turn off session state for a certain directory?

I have a custom session provider that stores data in a DB, so fetching session state is not a cheap operation. I have also runAllManagedModulesForAllRequests="true" in my web.config, so sessions are inicialized for every request to an image.
So, I am striving for turning off session state for directories with static resources. Unfortunately, setting <sessionState mode="Off" /> for a folder does not work as this is application-level option.
I could handle this in the code of my custom session provider, but I am wondering if there is some cleaner, more declarative solution.
Edit: <pages enableSessionState="false" /> does not seem to help as it is probably related to ASP.NET pages and controls only.
I don't think that is possible, think about it as session is provided for the whole application, and you just can say at this folder i have and at that i don't, all you can do is to custom code the costly operation of your provider to not run according to certain conditions, place that correctly in your page life cycle.
I ran into the same problem trying to do WebServices with cookieless sessions. I solved it with using a symbolic link. Here are the steps:
1) Make your subdirectory its own application in IIS
2) put this in the subdirectory web.config:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<sessionState mode="Off" />
</system.web>
</configuration>
3) Create a symbolic link to redirect BIN to your own BIN. In my example the subdirectory was only 1 level below my main application. So I did this command from the subdirectory:
mklink /D bin ..\bin
That's it. It will load assemblies from your main BIN directory, and inherit all its other settings from your main application.

Validation of viewstate MAC failed, but occurs on only 1 out of 2 webfarm servers (machine key is correct)

So I have something weird going on and i can not pin down exactly what is causing it. My asp.net project is live with session state on two production servers that are synced using the following command:
msdeploy -verb:sync -source:webserver,computername=%MACHINE%,username=Administrator,password=%PASSWORD% -dest:webserver 2<&1
The application is an asp.net 4.0 website that is run on two Server 2008 R2 web servers behind a load balanced configuration where the users are set to stick to one server once they connect. We have <MachineKey> set hardcoded with validation and decryption keys in the root site of the application and it is the same between both servers. My application is set up to forward exception events to our email system.
What is happening is that i am receiving the dreaded 'Validation of viewstate MAC failed' from the servers but even though the server load is 50/50 split the errors are coming in on a 99/1 split. So one web server is generating these errors considerably more often than the other one. This is strange considering the servers are synced and all configurations are identical.
I've done extensive searching on this problem and it seems quite difficult to find any solution that doesn't mention or do the following.
<MachineKey> is not identical between servers. (I know for a fact this is not my problem)
Setting enableViewStateMac=false or some other setting that jeopardizes the site security.
Make sure that all action tags on form inputs reference the same page they are placed on
Make sure the instance ID of the servers are the same (they are)
If the user clicks through the page before the entire page (viewstate) has been downloaded (my viewstate is set to render at the top of the page).
Issues with response.redirect and server.transfer
Now i have eliminated all except the last two as possible causes. My application has been running fine for over a year with no issues and right before these errors appeared i enabled SQL session state, migrated the project from .NET 3.5 to .NET 4.0, and set the set the server mode deployment mode to retail. I have tried recycling the application pools and performing an 'iis reset' to no avail.
Does anyone else have any suggestions as to what i can look at? Bottom line i do NOT want to fix this by opening up security holes in my site.
It appears this is happening to users right after they authenticate using forms authentication the first time they try to log in but i can not confirm this. I also have a theory that this might have to do with caching but i can't be sure on this either.
Here is the juicy bit from my web.config (i have removed some sensitive information)
<system.web>
<httpRuntime requestValidationMode="2.0"/>
<globalization culture="en-US" uiCulture="en-US" resourceProviderFactoryType="WebResourceFactory"/>
<compilation debug="true" defaultLanguage="c#" explicit="true" strict="true" targetFramework="4.0">
<assemblies>
</assemblies>
</compilation>
<authentication mode="Forms">
<forms name=".ASPXAUTH" loginUrl="Login.aspx" protection="All" slidingExpiration="true"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
<sessionState mode="SQLServer" sqlConnectionString="connection" compressionEnabled="true" />
<pages theme="Blue" controlRenderingCompatibilityVersion="3.5" clientIDMode="AutoID">
<machineKey validationKey="key" decryptionKey="key" decryption="3DES" validation="SHA1" />
</system.web>
EDIT:Emphasized that i'm using SQL session state with a load balancer set to prefer to route users to the server they started on.
There is an additional possibility that you have not added to your list - ViewStateUserKey.
I have seen issues with applications where the ViewStateUserKey was set to the Session ID on logon and (crucially) before any data is saved to the Session. Since ASP.NET does not persist Session IDs until one or more objects are saved to session this meant that the ID was constantly changing and the Viewstate was failing validation. Even if you have saved something to Session then the Session will be different on each server if you are using the default in-process model and not a state server or SQL session store (as you are doing). Any server specific value or value that is not readily predictable across servers used with ViewStateUserKey will of course also cause this problem.
Otherwise the most common causes of this issue I have seen is where an "Action" attribute is set on a form that is not the URL of the same page as the form (this catches out developers used to PHP or platforms that do not attempt to abstract away from HTTP), or missing Machine Key attributes in the Web.config in multi-server environments (which you seem to have covered).
Ok i appear to have fixed it, though i can not discern what exactly caused it so i will just list all the steps i performed in case someone else has this problem later on.
1 :
Installed these windows updates:
2:
My forms authentication cookie was set to persistent but my session cookie was set to the browser session. I set my forms authentication cookie to be browser session based.
3:
I copied my from the site config to the root of IIS. From all the documentation i could find it should not be necessary for me to do this because IIS should support multiple machine keys for different sites / applications.
4:
Rebooted the server.
That's it! I have not received the errors since then.

Enable all caches except asp net output cache

I have different urls that points to the same code
www.url1.com
www.url2.com
I need to use the cache, but if the asp net cache is enabled when someone access to www.url1.com next person accessing www.url2.com could get the previously cached data (www.url1.com)
I need to have ALL caches activated except this one.
You can disable ASP.Net output caching for the entire application by putting it in your web.config file.
<configuration>
<system.web>
<caching>
<outputCache enableOutputCache="false">
</outputCache>
</caching>
</system.web>
</configuration>
But unless you're actually putting anything in the cache in the first place, you don't have anything to worry about.

Why does a change of Session State provider lead to an ASPx page yielding garbage?

I have an aspnet webapp which has worked very well up until now.
I was recently asked to explore ways of making it scale better.
I found that seperation of database and Webapp would help.
Further I was told that if I changed my session providing mechanism to SQLServer, I would be able to duplicate the Web Stack to several machines which could each call back to the state server allowing the load to be distirbuted better.
This sounds logical. So I created an ASPState database using ASPNet_RegSQL.exe as detailed in many locations across the web and changed the web.config on my app from:
<sessionState mode="InProc" cookieless="false" timeout="20" />
To:
<sessionState mode="SQLServer"
sqlConnectionString="Server=SomeSQLServer;user=SomeUser;password=SomePassword"
cookieless="false" timeout="20" />
Then I addressed my app, which presented me with its logon screen and I duly logged in.
Once in I was presented, with a page that was not with the page I was expecting.
I can change the sessionstate back and forth. This problem goes away and then comes back based on which set of configuration I use.
Why is this happening?
Nice error Dude :)
Probably a red-herring, but what are you storing in Session state?
When you move from InProc to SQL Server, the stuff you store in SQL must be Serializable (I think)
Use Fiddler to see what's really going on over the wire. To me it looks like your app is sending back an image when the browser is expecting HTML.

Resources