0

I'm facing a very peculiar issue with sessions being reset without any apparent reason. This happens randomly, once every few tens or hundreds of requests.

My web application is running on windows 2003, IIS 6.0, .NET 1.1. The application has a webpage which populates a bunch of Session variables during its Page_Load event. The data is stored out of process in ASPNET State Service.

After the Page_load event exits and the page is displayed, the user clicks on a button, which retrieves the session data and does some work with it. And this Button_click is where the issue occurs. On some occasions, the session variable is null, raising a nullRefException.

Our traces show that the sessionID during the Button_click event is a brand new session, with a different ID than the session of the Page_Load event. Thus, the application fails to retrieve the data that was stored during Page_Load. Our event log shows that the session variables for the problematic requests are indeed populated during the Page_load event, and the response is sent without issue, which normally would persist the data.

We have ruled out session timeouts; although a timeout would still result in the same nullRefException, the same session ID from Page_load would be used to retrieve non-existing data. In this case, the sessionID is different than the original.

We are not messing with the ASPNET cookie in any way, we do not use session.abandon, nor do we inadvertedly remove items from the session.

My question is: what server-side factors could cause the cardholder's session to be reset like that? The Application event log does not contain any useful info.

Also, is there anything client-side (e.g. cookie tampering) that could force IIS to assign a new session upon subsequent postbacks of the page?

Many thanks in advance.

user1483086
  • 1
  • Have you ruled out IIS application pool recycles? – Stephen S. Jul 12 '12 at 15:12
  • Hi Stephen, thanks for your reply. Since we're running session out-of-proc, app pool recycling is not really a factor. We have checked the pool settings, and its set to recycle every 29 hours, which is not consistent with the occurrences of the issue. It happens randomly throughout the day. – user1483086 Jul 17 '12 at 10:26
  • Update: Fiddler shows that the first request to the page gets a response with a session cookie, the set-cookie header is there. However, the browser does not return the cookie on subsequent postbacks to the page, resulting in a new session to be set in the response. So I guess the question now is: why doesn't the browser return the session cookie it was given on the very first response from the server? It seems that this issue only occurs with IE9. – user1483086 Jul 20 '12 at 06:23

1 Answers1

2

I'm not sure if this applies to your situation, but it might help others.

I was designing a website and I found out the hard way, meaning I had to redesign a portion of this site I was working on. When you create or delete a folder (from an asp.net page) within the active IIS folder it resets all sessions for the website. This means every user currently on the site gets their sessions instantly deleted.

If you have control of your the server, store files outside the IIS folder and stream them in as needed. If you don't have control of the server, you will have to remove any work with folders.

Guest
  • 21
  • 2