This is one of those posts that will not interest you unless you have a similar problem. That said, it does illustrate one general truth, that in software problems are often not what they first appear to be, and solving them can be like one of those adventure games where you think your quest is for the magic gem, but when you find the magic gem you discover that you also need the enchanted ring, and so on.
Recently I have been troubleshooting a session problem on an ASP.NET application running on a shared host (IIS 7.0).
This particular application has a form with some lengthy text fields. Users complete the form and then hit save. The problem: sometimes they would take too long thinking, and when they hit save they would lose their work and be redirected to a login page. It is the kind of thing most of us have experienced once in a while on a discussion forum.
The solution seems easy though. Just increase the session timeout. However, this had already been done, but the sessions still seemed to time out too early. Failure one.
My next thought was to introduce a workaround, especially as this is a shared host where we cannot control exactly how the server is configured. I set up a simple AJAX script that ran in the background and called a page in the application from time to time, just to keep the session alive. I also had it write a log for each ping, in order to track the behaviour.
By the way, if you do this, make sure that you disable caching on the page you are pinging. Just pop this at the top of the .aspx page:
<%@ OutputCache Duration="1" Location="None" VaryByParam="None"%>
It turned out though that the session still died. One moment it was alive, next moment gone. Failure two.
This pretty much proved that session timeout as such was not the issue. I suspected that the application pool was being recycled – and after checking with the ISP, who checked the event log, this turned out to be the case. Check this post for why this might happen, as well as the discussion here. If the application pool is recycled, then your application restarts, wiping any session values. On a shared host, it might be some else’s badly-behaved application that triggers this.
The solution then is to change the way the application stores session variables. ASP.NET has three session modes. The default is InProc, which is fast but not resilient, and for obvious reasons not suitable for apps which run on multiple servers. If you change this to StateServer, then session values are stored by the ASP.NET State Service instead. Note that this service is not running by default, but you can easily enable it, and our helpful ISP arranged this. The third option is to use SQLServer, which is suitable for web farms. Storing session state outside the application process means that it survives pool recycling.
Note the small print though. Once you move away from InProc, session variables are serialized, not just held in memory. This means that classes must have the System.Serializable attribute. Note also that objects might emerge from serialization and deserialization a little different from how they went in, if they hold state that is more complex than simple properties. The constructor is not called, for example. Further, some properties cannot sensibly be serialized. See this article for more information, and why you might need to do custom serialization for some classes.
After tweaking the application to work with the State Service though, the outcome was depressing. The session still died. Failure three.
Why might a session die when the pool recycles, even if you are not using InProc mode? The answer seems to be that the new pool generates a new machine key by default. The machine key is used to encrypt and decrypt the session values, so if the key changes, your existing session values are invalid.
The solution was to specify the machine key in web.config. See here for how to configure the machine key.
Everything worked. Success at last.
Session is, essentially, a user-specific cache and should not be used for anything which can’t be re-hydrated from elsewhere when needed. Importantly, Session should never be used for any private data or authentication-related anything — it’s not secure at all. If you have (or can guess) a user’s session key then you can potentially see everything in their session.
Few months ago I was solving similar things while app needed to be modified for webfarm-scenario (externalized sessions, serializable session items, common machineKey on loadbalanced VMs). You described it well :-), there is several levels of settings involved as sliding expiration of cookies etc. As machineKey is used for encoding and also encrypting, then even built-in authentication might failed because of corrupted cookie? Things in ASP.NET are quite nicely secured, no doubt 🙂