• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1441
  • Last Modified:

ASP.NET Session State Restart Problem

Hi,

We have been experiencing a session reset problem.  At this point, the problem described below has both me and the web host completely baffled.

We continue to receive letters from angry visitors every day who are browsing around the secured area of our web site, and then get booted back to the login page because their session was lost.  It's about 5 minutes or so, and then everyone gets booted back to have to login again.

I've both ensured the web host set the session timeout to 30 minutes, and have also made the following entry in the webconfig file:

<configuration>
  <system.web>
     <sessionState timeout="30" />
  </system.web>
</configuration>

Sometimes though, you can sit on a page, do nothing, and then refresh after over 3 minutes and no problem.  Other times, with the same page, if you refresh just after 30 seconds, you will get routed back to the login page.

I've contacted the web host and they provided the following information:

"I looked into the issue, and sure enough, your sessions were expiring on me every 5 or so minutes.  I checked both settings in IIS and they are set to values 20 minutes and above.  I also put you in an isolated application pool, thinking that may be the issue, but to no avail.  At this point I suspect it may be a setting you have in your code, and it looks to be pre-compiled."

"I was able to verify that the ASP.NET_SessionId cookie does NOT change when this happens.  Even after a re-login, the cookie says the same.  This means that the session is not truly getting reset, otherwise it would have a new cookie with a new randomly generated value.  Also, when logged onto the server I can see that the PID of the app pool does not change, either.  This indicates that the app pool is not failing."

"It seems the application relies on a .NET assembly called WebXelAuthentication to handle logins.  If, for any reason, this assembly erroneously determines the user is not logged in you get redirected to a login page.  This tells me all the login logic is centralized to this component."

We are wondering if any experts here had received any similar such issues and if you know of a fix or patch for this session reset.   We have no problem at this point even switching providers and using the regular .NET login system.  However, it seems so much more complicated than it's worth if you already have a database of users set up.  All we need is simple cookie username/password validation against our custom MS SQL server database, and a simple ability to obtain a forgotten password to an email address.  That's it.  We do not need nor want a registration 'wizard' or other item, as we handle new membership entries into the SQL database via manual means.

Just FYI, we have contacted the WebXelAuthentication vendor and they indicate their product uses regular asp.net session state period and unable to troubleshoot beyond that.

Any info on this particular problem would be greatly appreciated.

Thanks in advance,

Chris

NOTE: The general language we use is VB.NET, using a MS SQL 2005 database for the login information.
0
jumpseatnews
Asked:
jumpseatnews
  • 7
  • 5
  • 2
2 Solutions
 
Bob LearnedCommented:
More information required:

1) .NET framework version?  2.0?  1.1?

2) IIS version?  6.0?  

3) Operating system for IIS?  Windows Server 2003?

Here are some thoughts:

http://aspalliance.com/226

 - ASP.NET web sites are executed in the context of a worker process.  IIS 5 uses a single worker process (aspnet_wp.exe) for all web sites (assuming no web gardens) and IIS 6 users a worker process (w3wp.exe) for each application pool.

 - Recycling an AppDomain will drop Application, Cache, and in-process Session information since that is stored in the AppDomain logical process!

http://forums.asp.net/7504/ShowPost.aspx

 - The restart can be caused by the modification of certain config files such as web.config and machine.config,  or any change in the \bin directory (such as new DLL after you've recompiled the application using VS) For details, see KB324772. In v1, there is also a bug that will cause worker process to restart.  It's fixed in SP2 and in v1.1.  See KB321792.

Bob
0
 
jumpseatnewsAuthor Commented:
Hi Bob,

Thanks for the info.  The framework is 2.0.  For IIS, it's 6.0 running Windows Server 2003.

The host mentioned that they've isolated it into its own Worker Process.

I'll check out the links and see if any further info to get this resolved.

Chris
0
 
SammyCommented:
according to Micro$oft article http://support.microsoft.com/kb/316148/EN-US/ this can be caused by antivirus software scanning .config and .asax files
maybe this you could ask your host to stop the virus scanner from performing such scans.

0
Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

 
jumpseatnewsAuthor Commented:
Hi Sammy1971,

Yeah, I was kinda afraid of that. I just wrote to them, at they said this:

"That support KB article is a good find, however I have doubts that that is the issue.  If the session was reset due to a change in the web.config, you would have a new session ID value in the cookie.  I observed earlier that this ID is not changing.  You can test for this by creating Session_Start and/or Session_End event handlers to catch this possibility."

I'm thinking more and more there must be something wrong with the WebXelAuthentication control.

Chris
0
 
Bob LearnedCommented:
Chris,

Are you getting anything in Event Log?

Web events in ASP.NET 2.0
http://support.microsoft.com/?scid=kb;en-us;893664

<Quote>
...if your application is losing session state, you can look in the Event Log to determine whether the application domain is recycling
</Quote>

Bob
0
 
jumpseatnewsAuthor Commented:
Thanks Bob,

Just wrot e to them again with this info and will let you know what I hear back.

Christopher
0
 
SammyCommented:
Chris
Bob's suggestion is great to find out what might be the cause of this.
I tried Micro$oft article on one of my servers, and it was actually correct.
tested 5 times 3 the session was lost in less than 10 minutes and 2 tests just passed the 20 minutes timeout.
I am shocked now, Micro$oft's article was correct without additional info for once :-)
0
 
Bob LearnedCommented:
Chris,

Any results?

Bob
0
 
jumpseatnewsAuthor Commented:
Hey Bob,

Yeah, I wrote to the hosting company to check the logs, but they indicated that "We cannot filter by pool or domain.  Sorting through it to find individual pools recycling would take hours due to all the other shared accounts that exist."

I think that there is an option that you set via webconfig that can e-mail me the event log or drop it into my SQL database?  I'm checking into this now, so that I can get this information and post it here for the session drop.

Meanwhile, I tested it on local install of iis 6 and none of these problems happened.  I'm fairly convinced that it is the web host.  They've offered to move servers, but I want to only do that as a last resort, as I believe that your idea to examine the event log is the best way to go first.

Will w/b as soon as I'm able to get the events emailed or dropped into SQL for examination.

Chris
0
 
Bob LearnedCommented:
Chris,

Given that thing about hours, then share with them about Microsoft Log Parser:

   http://www.microsoft.com/technet/scriptcenter/tools/logparser/default.mspx

It should take minutes, not hours to perform a query to find that information in the log.

Bob
0
 
jumpseatnewsAuthor Commented:
Excellent!  Thanks Bob, will email them today this info and request this.  Will keep you posted.  My guess is that they won't get back to me until tomorrow, but you never know.

All the best,

Chris
0
 
Bob LearnedCommented:
Chris,

Log Parser queries are a learning curve, and unless they already know about it, you probably won't get an answer right away.

Bob
0
 
jumpseatnewsAuthor Commented:
Hi Bob,

Here's what I just got back: "Oh yeah, that should really help.  I'll write some queries for this and let you know what it turns up."

Fingers crossed on this one.  I just want to know the MYSTERY of what is causing this!

Will let you know.

Thanks,

Christopher
0
 
jumpseatnewsAuthor Commented:
Hi Bob,

OK, I never heard back from the host regarding the testing of the log file.  However, I did put a fix in place for this problem: I'm now using State Server to store the session information and bypassing the InProc process completely.

Since I switched over to State Server, not a single problem has been reported.  

The web host obviously still has a problem on their server with the regular InProc .NET session state being recycled every five or so minutes.  Using the 'StateServer' to handle sessions was a good alternative thus far.

To do this, I modified the web.config file like so:

<sessionState mode="StateServer" cookieless="false" timeout="30"
stateConnectionString="tcpip=127.0.0.1:42424" />

The loopback of 127.0.0.1:42424 works perfectly.

Thanks again for all your help on this one!

Sincerely,

Christopher Lee
www.rikter.com
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

  • 7
  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now