Question re: Session Management
My users have been running into problems with Sessions coming up expired, and unable to access the issues from their links.
First - about our environment: we are running in a 4 server web farm behind CSS devices to load balance (30 minute, I think), with hard timeouts for the servers. Authentication is Trusted (NTLM) authentication - it's our intranet site.
What we are experiencing is the users are getting booted from their sessions (being redirected to the Session Expired page) periodically, and not necessarily consistently. Especially if they are opening multiple windows.
I have tried moving the session state into the database (which probably will be needed going forward, anyway), but that didn't help - I am still getting the Expiration.
When I looked at the code, there is logic in BasePage.OnInit where the user is redirected if the session still exists:
if (Session.IsNewSession)
{
//check whether a cookies had already been associated with this request
HttpCookie sessionCookie = Request.Cookies["ASP.NET_SessionId"];
if (sessionCookie != null)
{
string sessionValue = sessionCookie.Value;
if (!string.IsNullOrEmpty(sessionValue))
{
// we have session timeout condition!
Response.Redirect("~/Errors/SessionExpired.aspx", true);
}
}
}
Basically - if the session is restarted, then the user is automatically redirected. But that is not always the case - the session may still be valid (just from a different server, or a process burp).
I tried two different things, with both working, but not fully tested. The first thing I tried was just to comment out the Response.Redirect. This appears to work, but my testing is limited right now - I tweaked the web.config to restart the server, and this appears to work - the session stays alive. I think this may create other issues though when a session does expire.
The second thing I tried is the following code:
//check whether a new session was generated
if (Session.IsNewSession)
{
//check whether a cookies had already been associated with this request
HttpCookie sessionCookie = Request.Cookies["ASP.NET_SessionId"];
if (sessionCookie != null)
{
string sessionValue = sessionCookie.Value;
if (!string.IsNullOrEmpty(sessionValue))
{
if (Session.SessionID != sessionValue)
{
// we have session timeout condition!
Response.Redirect("~/Errors/SessionExpired.aspx", true);
}
}
}
}
Basically, I added a new test - check to see if the session ID has changed. If it has, then we truly have a new session, so redirect.
This option also appears to work where the session stays alive.
My testing method is to tweak the Web.Config and save (modify some whitespace). This causes the server process to recycle for the application, and trigger the IsNewSession. When I tried the test with a vanilla solution, this triggered a failure. It fails, too, when I moved the session state management to the database. But when the above tweaks, both options, the session appears to stay alive.
Are there any issues where this might expose, or problems this might cause?
Thanks!
Gary Klesczewski