Solved

ASP.NET Session State Restart Problem

Posted on 2006-07-15
14
1,402 Views
Last Modified: 2007-12-19
Hi,

We have been experiencing a session reset problem.  At this point, the problem described below has both me and the web host completely baffled.

We continue to receive letters from angry visitors every day who are browsing around the secured area of our web site, and then get booted back to the login page because their session was lost.  It's about 5 minutes or so, and then everyone gets booted back to have to login again.

I've both ensured the web host set the session timeout to 30 minutes, and have also made the following entry in the webconfig file:

<configuration>
  <system.web>
     <sessionState timeout="30" />
  </system.web>
</configuration>

Sometimes though, you can sit on a page, do nothing, and then refresh after over 3 minutes and no problem.  Other times, with the same page, if you refresh just after 30 seconds, you will get routed back to the login page.

I've contacted the web host and they provided the following information:

"I looked into the issue, and sure enough, your sessions were expiring on me every 5 or so minutes.  I checked both settings in IIS and they are set to values 20 minutes and above.  I also put you in an isolated application pool, thinking that may be the issue, but to no avail.  At this point I suspect it may be a setting you have in your code, and it looks to be pre-compiled."

"I was able to verify that the ASP.NET_SessionId cookie does NOT change when this happens.  Even after a re-login, the cookie says the same.  This means that the session is not truly getting reset, otherwise it would have a new cookie with a new randomly generated value.  Also, when logged onto the server I can see that the PID of the app pool does not change, either.  This indicates that the app pool is not failing."

"It seems the application relies on a .NET assembly called WebXelAuthentication to handle logins.  If, for any reason, this assembly erroneously determines the user is not logged in you get redirected to a login page.  This tells me all the login logic is centralized to this component."

We are wondering if any experts here had received any similar such issues and if you know of a fix or patch for this session reset.   We have no problem at this point even switching providers and using the regular .NET login system.  However, it seems so much more complicated than it's worth if you already have a database of users set up.  All we need is simple cookie username/password validation against our custom MS SQL server database, and a simple ability to obtain a forgotten password to an email address.  That's it.  We do not need nor want a registration 'wizard' or other item, as we handle new membership entries into the SQL database via manual means.

Just FYI, we have contacted the WebXelAuthentication vendor and they indicate their product uses regular asp.net session state period and unable to troubleshoot beyond that.

Any info on this particular problem would be greatly appreciated.

Thanks in advance,

Chris

NOTE: The general language we use is VB.NET, using a MS SQL 2005 database for the login information.
0
Comment
Question by:jumpseatnews
  • 7
  • 5
  • 2
14 Comments
 
LVL 96

Accepted Solution

by:
Bob Learned earned 400 total points
ID: 17115736
More information required:

1) .NET framework version?  2.0?  1.1?

2) IIS version?  6.0?  

3) Operating system for IIS?  Windows Server 2003?

Here are some thoughts:

http://aspalliance.com/226

 - ASP.NET web sites are executed in the context of a worker process.  IIS 5 uses a single worker process (aspnet_wp.exe) for all web sites (assuming no web gardens) and IIS 6 users a worker process (w3wp.exe) for each application pool.

 - Recycling an AppDomain will drop Application, Cache, and in-process Session information since that is stored in the AppDomain logical process!

http://forums.asp.net/7504/ShowPost.aspx

 - The restart can be caused by the modification of certain config files such as web.config and machine.config,  or any change in the \bin directory (such as new DLL after you've recompiled the application using VS) For details, see KB324772. In v1, there is also a bug that will cause worker process to restart.  It's fixed in SP2 and in v1.1.  See KB321792.

Bob
0
 

Author Comment

by:jumpseatnews
ID: 17115867
Hi Bob,

Thanks for the info.  The framework is 2.0.  For IIS, it's 6.0 running Windows Server 2003.

The host mentioned that they've isolated it into its own Worker Process.

I'll check out the links and see if any further info to get this resolved.

Chris
0
 
LVL 27

Assisted Solution

by:Sammy
Sammy earned 100 total points
ID: 17116151
according to Micro$oft article http://support.microsoft.com/kb/316148/EN-US/ this can be caused by antivirus software scanning .config and .asax files
maybe this you could ask your host to stop the virus scanner from performing such scans.

0
 

Author Comment

by:jumpseatnews
ID: 17116206
Hi Sammy1971,

Yeah, I was kinda afraid of that. I just wrote to them, at they said this:

"That support KB article is a good find, however I have doubts that that is the issue.  If the session was reset due to a change in the web.config, you would have a new session ID value in the cookie.  I observed earlier that this ID is not changing.  You can test for this by creating Session_Start and/or Session_End event handlers to catch this possibility."

I'm thinking more and more there must be something wrong with the WebXelAuthentication control.

Chris
0
 
LVL 96

Expert Comment

by:Bob Learned
ID: 17129244
Chris,

Are you getting anything in Event Log?

Web events in ASP.NET 2.0
http://support.microsoft.com/?scid=kb;en-us;893664

<Quote>
...if your application is losing session state, you can look in the Event Log to determine whether the application domain is recycling
</Quote>

Bob
0
 

Author Comment

by:jumpseatnews
ID: 17132573
Thanks Bob,

Just wrot e to them again with this info and will let you know what I hear back.

Christopher
0
 
LVL 27

Expert Comment

by:Sammy
ID: 17135119
Chris
Bob's suggestion is great to find out what might be the cause of this.
I tried Micro$oft article on one of my servers, and it was actually correct.
tested 5 times 3 the session was lost in less than 10 minutes and 2 tests just passed the 20 minutes timeout.
I am shocked now, Micro$oft's article was correct without additional info for once :-)
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 96

Expert Comment

by:Bob Learned
ID: 17161772
Chris,

Any results?

Bob
0
 

Author Comment

by:jumpseatnews
ID: 17163219
Hey Bob,

Yeah, I wrote to the hosting company to check the logs, but they indicated that "We cannot filter by pool or domain.  Sorting through it to find individual pools recycling would take hours due to all the other shared accounts that exist."

I think that there is an option that you set via webconfig that can e-mail me the event log or drop it into my SQL database?  I'm checking into this now, so that I can get this information and post it here for the session drop.

Meanwhile, I tested it on local install of iis 6 and none of these problems happened.  I'm fairly convinced that it is the web host.  They've offered to move servers, but I want to only do that as a last resort, as I believe that your idea to examine the event log is the best way to go first.

Will w/b as soon as I'm able to get the events emailed or dropped into SQL for examination.

Chris
0
 
LVL 96

Expert Comment

by:Bob Learned
ID: 17163604
Chris,

Given that thing about hours, then share with them about Microsoft Log Parser:

   http://www.microsoft.com/technet/scriptcenter/tools/logparser/default.mspx

It should take minutes, not hours to perform a query to find that information in the log.

Bob
0
 

Author Comment

by:jumpseatnews
ID: 17163626
Excellent!  Thanks Bob, will email them today this info and request this.  Will keep you posted.  My guess is that they won't get back to me until tomorrow, but you never know.

All the best,

Chris
0
 
LVL 96

Expert Comment

by:Bob Learned
ID: 17163644
Chris,

Log Parser queries are a learning curve, and unless they already know about it, you probably won't get an answer right away.

Bob
0
 

Author Comment

by:jumpseatnews
ID: 17167328
Hi Bob,

Here's what I just got back: "Oh yeah, that should really help.  I'll write some queries for this and let you know what it turns up."

Fingers crossed on this one.  I just want to know the MYSTERY of what is causing this!

Will let you know.

Thanks,

Christopher
0
 

Author Comment

by:jumpseatnews
ID: 17233619
Hi Bob,

OK, I never heard back from the host regarding the testing of the log file.  However, I did put a fix in place for this problem: I'm now using State Server to store the session information and bypassing the InProc process completely.

Since I switched over to State Server, not a single problem has been reported.  

The web host obviously still has a problem on their server with the regular InProc .NET session state being recycled every five or so minutes.  Using the 'StateServer' to handle sessions was a good alternative thus far.

To do this, I modified the web.config file like so:

<sessionState mode="StateServer" cookieless="false" timeout="30"
stateConnectionString="tcpip=127.0.0.1:42424" />

The loopback of 127.0.0.1:42424 works perfectly.

Thanks again for all your help on this one!

Sincerely,

Christopher Lee
www.rikter.com
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

I have developed many web applications with asp & asp.net and to add and use a dropdownlist was always a very simple task, but with the new asp.net, setting the value is a bit tricky and its not similar to the old traditional method. So in this a…
Sometimes in DotNetNuke module development you want to swap controls within the same module definition.  In doing this DNN (somewhat annoyingly) swaps the Skin and Container definitions to the default admin selections.  To get around this you need t…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now