I need to understand something about ASP.NET session state, as it applies to IIS 7 and ASP.net 3.5.
If an application is configured to use in-process session state, will that work OK if there are multiple worker processes? In other words, do worker processes share session state?
The default configuration for IIS 7 is to use in-process session state and to allocate a maximum of 10 worker processes. It would seem likely then, that this default configuration should work. I'm dealing with a company that has produced an ASP.NET MVC web app that is having some problems, they're blaming the server environment. The claim is that because I'm using the default settings of 10 worker processes, that is breaking their session state. I need to know whether this is in fact an accurate claim. I've never known an ASP.NET app to not work with the default configuration, so I'm a bit confused and need to have this clarified.
Having multiple worker processes and using InProc does not seem to be compatible.
See this:
If you enable Web-garden mode by setting the webGarden attribute to true in the processModel element of the application's Web.config file, do not use InProc session state mode. If you do, data loss can occur if different requests for the same session are served by different worker processes.
More than one worker process is a "web garden." In-process session state will not work correctly. You'll need to use either a single worker process for your web app, or use a session state server, or SQL Server for session state.
I may be wrong, but as far as I know, by default you only have 1 worker process per application domain with multiple worker threads to handle requests. In this case In-Proc Session State should work just fine (the default settings).
But if you do have multiple worker processes (not just worker threads, actual worker processes) you do need out of process session state.
I think having more than 1 worker process in ASP.NET is referred to web garden mode which you have to specifically enable and if you do, then you need out of process state management. See the comment box on this page under the In-Process Mode heading.
I experienced session lost problem and finally struggled to find the root cause.
Recently I received several bug reprot about the session lost. If the website load is low, everything is OK. If the website load is high, the session lost issue happens. This is very weird.
The root cause is between Worker process setting and Session state. Here we have 5 worker processes, which means it will have 5 independent processes running when the website load is high. While the session is stored in process, IIS cannot guarantee that a client user will use the same worker process.
For example, the user client uses Process A when first visiting the web, and when he second visit the web, it may use Process B. There is no session stored in Process B, so his session is lost.
Why it is OK when the website load is low? Because IIS will only setup one worker process when the load is low. So the session lost issue will not happen. This explains why it is OK when I deploy a new version and test it OK at night, but the error happens again tomorrow morning. Because the website load is low at night.
Be careful to use session state in Process, it is unstable when your website load will be high and considering with mutiple worker processes. Try something like State Serversession state.
Related
Setting my forms authentication timeout and sessionState timeout from my config never seem to have the desired effect. I always have to set the sessionstate timeout on the website on the server and it also seems like I need to set the application pool idle timeout as well.
What is the point of the config setting if the server can just override it?
What are the priority of the settings, strictly in terms of authentication and the time to keep a user logged in? I have not done extensive testing on this but it feels like if any of the 4 settings are out of sync, the users don't get timed out predictably.
The main thing is that they aren't related at all.
Forms authentication timeout won't have anything to do with session timeout. Forms authentication timeouts may or may not slide and only store the authentication cookie. Even if they are set to slide a user still has to interact with the server after the halfway point in the timeout for it to slide, else it doesn't.
Session timeout is just there to store data for X amount of time if needed and the timeout will slide.
The application pool is there to keep everything running smoothly. Application pools need to recycle every so often and that can be disruptive, but it's the health of the app and the server they are worried in. Of course, if you aren't using a state server or storing session in database the session can end up killed off as well.
Couple things that help in this scenario:
Use session wisely as it's a pig for resources, and always have a means to check for nulls and recreate the needed objects/values if it is null.
Create a machinekey for your app. This will make sure the way that the app encrypts data doesn't change with each app recycle. If a recycle occurs it could have an effect on logged in users because the encryption of the ticket may not match. A nice side effect of creating an explicit machinekey can also help you use a webgarden if you want, but only if you a state server or store session in db since in memory session can't be shared among processes.
So they aren't inter-related but can effect each other. There is also no way in hell I would want an application to have it's own settings that would over-ride an app pool setting since a well set app pool keeps the site and server healthy and running well and that's the main reason it trumps all.
From time to time, some requests on my website starts to hang on the RequestAcquireState state of the Session module. When that spiral begins all requests timeout and we need to restart the IIS on the affected server.
I investigated it a lot and the only conclusion I got is that somehow a deadlock is happening while the application tries to access user data stored in Session.
The only option I can think of to fix this issue is to either reduce or stop using Sessions in my application. This is definetely part of the plan, but it will take a while before we can complete that.
We run 6 machines with IIS 7.5, out of proc StateServer and server affinity on in our Load Balance.
Any hints on how to workaround this issue or fix it at all without having to remove Sessions entirely?
Lock mechanism exist on both provider and session module (IIS Session Module). You can develop custom session module, but you still need provider without locking or You can develop custom provider without locking but you still need IIS session module and it is not so simple to implement at that level.
The Solution is UnlockedStateProvider [aka Unlocked]
Follow the white rabbit :P (Check the demo project, it explains everything.)
The answer is Hotfix Rollup 2828841 for .NET Framework 4.5 , here all the explanation:
http://forums.asp.net/t/1888889.aspx/2/10?Question+regarding+a+possible+bug+within+NET+4+5
and here the download link
It works for me on IIS 7.5 Windows Server 2008 rs x64 , asp.net web forms application with lot of ajax request.
I just found out today that if you have a long running request (or in my case, an infinite loop), then all subsequent requests will be locked, because by default ASP.NET locks on session.
So if you have users with requests in RequestAcquireState, then check if there is a request in ExecuteRequestHandler that is locking the session, and thus preventing other requests from starting.
There is a discussion here on how to prevent locking on session.
(Basically, create most of your pages as Session-Read-Only, and modify session as rarely as you can.)
Is it possible those users have another long running request and the requests you see piling up are actually secondary requests? By default, ASP.NET will lock Session until a request is complete. If a second request comes in before the first one is complete, it will have to wait. If you are using MVC, you can change this behavior by adding an attribute to your controller.
[SessionState(SessionStateBehavior.ReadOnly)]
This makes Session read-only, removing the locking behavior allowing subsequent requests to be processed.
Site hosted via IIS 7.0
I would like to set my session time-out to 9 hours in my ASP.NET application.
This has been set at web.config
<sessionState timeout="540"></sessionState>
But, as I understand, if the timeout is set as 20 minutes inside the IIS where the website is hosted, setting an extended session state will be of no use.
Firstly, I would like to confirm whether this assumption is right.
The problem is that I do not have access to the IIS of my shared hosted web server.
Now, after some research, I came up with another solution in code project. This sounds like a wonderful idea. The idea is to insert an iframe to master page. The iframe will contain another page with meta refresh less than 20 minutes.
Response.AddHeader("Refresh", "20");
This idea seemed good for me. But the article is 7 years old. Plus at comments section a user complaints that this won't work if the page is minimized and I am worried that the same happens when my pages tab is not active.
I would like to know these things
Whether the refresh method will work for my scenario , even if the page is minimized?
Are there any other methods that could increase session time out that overrides IIS timeout setting?
Also I read some questions in Stack Overflow where the answers state that the IIS session timeout is for clasic ASP pages. Then why is not my extended timeout not firing?
Firstly, I would like to confirm whether this assumption is right.
Yes, this assumption is absolutely right in case you are using in-memory session state mode. In this case the session is stored in memory and since IIS could tear down the AppDomain under different circumstances (period of inactivity, CPU/memory tresholds are reached, ...) the session data will be lost. You could use an out-of-process session state mode. Either StateServer or SQLServer. In the first case the session is stored in the memory of a special dedicated machine running the aspstate Windows service and in the second case it is a dedicated SQL Server. The SQL Server is the most robust but obviously the slowest.
1) Whether the refresh method will work for my scenario , even if the page is minimized?
The hidden iframe still works to maintain the session alive but as I said previously there might be some conditions when IIS unloads the application anyway (CPU/memory tresholds are reached => you could configure this in IIS as well).
2) Are there any other methods that could increase session time out that overrides IIS timeout setting?
The previous method doesn't increase the session timeout. It simply maintains the session alive by sending HTTP requests to the server at regular intervals to prevent IIS from bringing the AppDomain down.
3) Also I read some questions in Stack Overflow where the answers state
that the IIS session timeout is for clasic ASP pages. Then why is not
my extended timeout not firing?
There is no such thing as IIS session timeout. The session is an ASP.NET artifact. IIS is a web server that doesn't know anything about sessions.
Personally I don't use sessions in my applications. I simply disable them:
<sessionState mode="Off"></sessionState>
and use standard HTTP artifacts such as cookies, query string parameters, ... to maintain state. I prefer to persist information in my backend and retrieving it later using unique ids instead of relying on sessions.
I'm trying to implement some fail safes on a client's web server which is running two of their most important sites (ASP.NET on IIS7). I'm going to set up application pool limiting so that if any w3wp process uses 90%+ CPU for longer than a minute then it gets killed (producing a temporary 503 Service Unavailable message to any visitors), and based on my local testing will be restarted within a minute - a much better solution than having one CPU-hogging process taking down the whole server for any length of time.
This seems to work, however during my fiddling on my local IIS7 instance I've noticed that if a request calls my "Kill.aspx", even when the site comes back up IIS will not serve the session that caused it to hang. I can only restart the test site from a different session - but as soon as I clear my cookies on the "killer" browser I can get to the site again.
So, whatever malicious behaviour IIS is trying to curb with this would not work against an even slightly determined opponent. In most cases, if excrement does hit fan it will be coding/configuration error and not the fault of the user who happened to request a page at that time.
Therefore, I'd like to turn this feature off as the theoretical user would have no idea that they need to clear their cookies before they can access the site again. I would really appreciate any ideas on how this might be possible.
Yous should be using ASP.Net Session StateServer instead of In-Proc (see msdn for details). That way, you session will run in different process and won't be affected by IIS crash.
Turn what "feature" off? If the worker process is reset (and your using in-proc session) then the session is blown away on a reset.
You might want to investigate moving your session storage to a state server or some other out of process scenario.
Also, you might want to set the application pool to use several worker processes (aka: web garden) this way if one process is killed the others continue serving content.
Next, as another option you might want to set up multiple web servers and load balance them.
Finally, you might want to profile the app to see exactly how they are causing it to spin into nothingness. My guess is that there are a number of code issues you are simply covering up with this idea.
I have an iframe keep alive (iframe that hits a page, defibrillator.aspx, on my site every few minutes to keep the session alive) on my masterpage for an asp.net app. This works most of the time but every so often my session variables return null during the page load on my defibrillator page. At first, I thought the session was being timed out by the server for some reason so I put some logging into the Session_End event in the global.asax but it was never hit.
Any ideas what could cause the session to be lost.
Many things can cause session to be lost. An AppPool recycle, iisreset, the client could lose its session cookie, etc. Without knowing more it is difficult to tell what is the problem.
If session is so critical that you poll the application to keep the worker process from sleeping perhaps you ought to look into persisting your session state to SQL Server.
Peter Bromberg outlines the primary reasons for ASP.NET session timeouts on his blog.
I had this same sort of problem, storing a shopping cart state in Session but having it randomly return null instead. I think I found the answer on Bertrand Le Roy's blog, which seems to work for me:
Session loss problems can also result
from a misconfigured application pool.
For example, if the application pool
your site is running is configured as
a web farm or a web garden (by setting
the maximum number of worker processes
to more than one), and if you're not
using the session service or SQL
sessions, incoming requests will
unpredictably go to one of the worker
processes, and if it's not the one the
session was created on, it's lost. The
solutions to this problem is either
not to use a web garden if you don't
need the performance boost, or use one
of the out of process session
providers.
Blog
If the chosen persistence mechanism is InProc then it can be triggered by many things. Totally counter-recommended for a production environment.