I have an ASP.NET web application that, for whatever reason, when it is deployed on any IIS server, will behave like the pages are cached and it simply never posts back to the server.
For example, navigate to the login page, enter credentials, click the login button, and it's back to the login page you go, with the form fields cleared. The information is not getting submitted back to the server. The postback is not executing. It seems the browser is simply restoring the original page from cache.
I found this article that says I need to put something in the ASP.NET session state in order for the session to remain valid.
When a user connects to an ASP.NET
application, a unique session ID will
be affiliated with the user. If
nothing is put in the session however,
no cookie will be sent to the browser.
This means that the user will get a
new session ID the next time a new url
is open or the page is refreshed. If
something is put on the session
(HttpContext.Current.Session["Hello] =
"hello") however, ASP.NET will issue a
cookie called ASP.NET_SessionId. This
cookie contains the user's session ID
and the cookie will expire at the end
of the session (when you close your
browser).
I will try what that article recommends, as I had not been storing anything in the session.
I have also added expiration headers to the page:
Response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1))
Response.Cache.SetCacheability(HttpCacheability.NoCache)
Response.Cache.SetNoStore()
and put some meta tags in the html:
<meta http-equiv="pragma" content="no-cache" />
<meta http-equiv="cache-control" content="no-cache" />
Any other ideas as to what the cause of this behaviour may be?
The issue was related to IIS.
The Directory Security for the web application was set to run only under anonymous access with a local user account and application pool specifically created for the application.
Turns out, Integrated Windows Authentication and Enable anonymous access must both be checked otherwise you'll get this weird behaviour.
FWIW, the ASP.NET web application is running in a FRAMESET/FRAME under a classic ASP site and the issue only occured when accessing the site from the local network. It worked fine externally. It also worked on the local network the first time it was accessed, then the session cookie would need to be cleared for it to work again.
This does not sound like a session state problem. It sounds like a problem with your Sub Page_Load
Is it just the login page that this happens to? If you've tried this on several IIS servers it would seem that something in your page is off. A standard install of IIS and a simple ASPX page with a button will cause a postback without having to do anything at all. If you aren't seeing that, then it must be something on that page. Try creating a very simple page with just a label and button and verify that you can see the post back and the page_load (like RichO said) are working correctly.
What sort of server configuration are you you using? It's a long shot, but sessions are server-specific: if you have multiple web servers, subsequent page loads may behave (correctly) as if the session was never set.
Make sure you have cookies enabled in your browser. Session storage requires cookies.
If this is happening on your dev box, set a breakpoint in your page_load (assuming you're not using MVC) or your POST controller action to see what's actually happening server side.
Also, try hitting this through an HTTP sniffer (like Fiddler) to see what's going over the wire.
Related
I have a web application (.net VB code) that utilizes session variables to store the username (here login name) and the profile (admin/client), authentication is handeled by asp membership. The application then relies on these session variables on the load events. This application has been running fine for a couple of years. However, recently users complain about occasional error messages after logging in and attempting to load a new page that needs one of these variables. It happens most frequently Chrome, but also IE and Firefox.
Users that experience the error need to log out and clear the browsing history, after that it works again. The error is not easy to replicate - I was able to trigger it on my machine 'violently' using the 'back' button a couple of times that eventually tripped it - then I had to clear my browsing history to get the application to work again.
What might cause this to happen?
the session gets set on the load event of the 'login' page with 'Session("Type") = "Admin"' and subsequent pages check for the value of Session "Type"
I understand that I could use a cookie instead, but I chose not to for security reasons. Could this be prevented using a cookie instead? or do I need to use the membership.getuser method to get the username and then look up the values in the database? That does not seem efficient.
Ideas?
FYI, the ASP.NET Session ID is stored in a cookie that travels back and forth with each request/response. The actual session state values for a given session are not stored in cookies ... they are stored on the server only. They could be stored in memory, or in a SQL database, depending on how you've configured ASP.NET Session State.
But Session State can get destroyed for a variety of reasons. IIS might suddenly decide to restart your Application Pool, for example, in which case all your Session State would be gone.
Basically, you need to write your web app to always handle the possibility that Session State may be empty. If it is empty, then you probably need to redirect the user to the login screen to enter his credentials again.
Clearing the browsing history should have no effect, so I can't explain why that would help get past the problem.
In my ASP.NET project, I am using Forms authentication. My main.master using LoginStatus control and web.config is set up for "Forms" authentication mode.
Before I log in, the control shows the text as "Login." After I log in, the control shows the text as "Logout." This is expected. However, after clicking around on a few links within the site, the control suddenly starts showing "Login" although I am still logged in. The session is still alive as some of the pages I visit dumps some session information.
Would appreciate if something can point me in the right direction. Regards.
If you are trying to redirect after setting a Session variable using
Response.Redirect("YourPage.aspx");
this may be causing the session token to gets lost, try using the overloaded version of Redirect:Response.Redirect("~/YourPage.aspx", false);
Another problem also may be miss configuration of application pool. If the application pool is configured as a web farm or a web garden (by setting the
maximum number of worker processes to more than one) and if you're
not using the session service or SQL sessions, incoming requests will
unpredictably go to one of the worker processes, and if it's not the
one the session was created on, it will get lost.
The solutions to this is either not to use a web garden if you don't need the
performance boost, or use one of the out of process session
providers.
For more information you can check the link of the original article below: http://weblogs.asp.net/bleroy/Don_2700_t-redirect-after-setting-a-Session-variable-_2800_or-do-it-right_2900_
I have an ASP.NET site which requires a login to get access to the rest of the site. Login information is stored in database and accessed through a service.
The business have asked to be able to login from an external site. I added a Generic Handler (.ashx) to my project which takes username & password input, verifies the credentials, and then if they are valid stores the credentials in the session using IRequiredSessionState interface. It then gives a URL of the entry point to the application to the client.
The client (a plain old HTML page using jquery to .post()) then takes the response and redirects to this URL.
Well, this seems to work great and exactly what I needed. I figured that I could avoid having to generate a token and pass it around in the querystring by doing this, since the handler and site both share the same session. But the problem now is when I tried a test by putting the Login HTML page on a co-workers computer (eg external to hosting in my application) - it doesn't work. The session is added correctly in the ASHX handler, but in the Page_Load of the entry point, that session value is gone..
Is it possible to do what I am doing? Why is session forgot immediately like this? I would think it would be the same as logging in from the log-in page and redirecting from there (it's the same application & the same session..)
Thanks!
I am fairly new with developing in ASP.Net and I've searched high and low for a resolution to this, to no avail. I am using Forms Authentication to authenticate users and when I login with user A, I abandon the current session, generate a new session cookie/id and redirect from to my content page and everything works as planned. However, when I open a new browser window and navigate to the login screen, thus starting a new session, the authentication cookie for user A is automatically passed to this session and is part of the request cookies collection. Even worse, when I actually log in as user B and get a new authentication cookie then refresh the browser window for session A, it now has the authentication cookie of user B.
I have no idea why this is happening. I thought the browser (IE9) was caching the authentication cookie because the response-header collection is set to cache-control "private" even though I specifically set the Response.Cache.SetCacheability("no-cache") in my code-behind for all pages. Then I was thinking it could be a threading issue.
Any insight into why this is happening is greatly appreciated, Thanks.
Try different Browsers like Chrome and IE. Because browser share same cookie and temp file even opened in new windows. Above scenario will occur if you try with gmail.com or live.com.
Check your web.config files for session settings.
Check out the following link:
http://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.enablecrossappredirects.aspx
EDIT
This problem seems to have strangely disappeared. There must've been something funky with my environment. I'm voting to close this question.
When a user logs in, I inflate the session with a bunch of data from the Login page code-behind. Then I redirect the user to a different page in the application. I also have some session recovery logic which re-inflates the session based on the auth ticket when the user's session expires.
What seems to be happening is that I inflate the user's session with a bunch of data from the login page, then redirect them, and the request for the page to which I redirect them doesn't seem to have the session, so the application has to re-inflate it. I don't understand this - I've looked at the cookie and the session ID is not changing, and I am not resetting the session data anywhere in the code. Is this an ASP .NET 'feauture'? I'm using ASP .NET 4.0.
Edit:
To clarify: The session is inflated during the login request (on the click even of the login button). During the next request, it doesn't appear the session is populated any longer, so I end up having to re-inflate the session. Any requests that user makes after that, the session seems to "stick" and I have the properly inflated session for subsequent requests.
To answer your question SessionState data is independent of login/logout.
There are several reasons why data might "disappear" from SessionState.
If you are using InProc SessionState on a web farm, the user may have a subsequent request be served by a different machine in the farm.
SessionState can clear if it gets too full (like a cache).
If you are using a custom SessionStateStoreProvider, it may not be saving/retrieving the SessionState properly.