To describe the app, it has an default page where it will be checking user role from request header then assign the user id into session and redirect to corresponding pages. In every other pages, it will check whether the session has value or not, if no then will redirect the default page.
This has been tested in my dev environment and its working without any issue. However, when I hosted it in IIS (AWS EC2 environment). It started behaving very weird. If the application's bindings is stick to default. I can browse it in the server using http://localhost:26943/ with no issue.
default bindings
However, when i change the bindings to hostname and browse using http://testing.com/, I found that the session containing user ID is empty.
hostname bindings
I have tried several methods including :
Add Session["init"] = 0 in Global.asax
Change cookieless=true in web.config
Change sessionState's mode to "StateServer"
Redirect to "~/page.aspx" instead of "page.aspx"
Only change cookieless method worked for me but it will show session ID in the URL which I doubt is the correct method.
Details of app:
.NetFramework 4.8
Uses WCF service
Current session state info is sessionState mode="InProc" cookieless="false" timeout="60"
Configured c:\Windows\System32\Drivers\etc\hosts to add 127.0.0.1 testing.com
Tested using IE 11
Since AWS is on a server farm?
Then in-proc sessions are going to be VERY flakey and problematic. Those massive cloud systems will spool out your web server multiple times - a WILD guess as to where the next page will come from. If pages are served across different instances of the IIS server?
You going to lose session values. As noted, even some un-handled code errors will cause a app-pool re-set. All of these issues add up to easy and frequent loss of sessions.
I would suggest you adopt SQL server based session management. This should eliminate a zillion issues that can cause a session() re-set. I like in- proc. Memory based is fast, and since your not writing the next Facebook, then of course typical server loads are next to nothing (again, this favors use of in-proc sessions). However, since you a have server farm, and some application errors will become problematic? Adopt SQL server based sessions, and 99 if not 100% of your session() re-sets and loss will go away.
this suggestion is MUCH more warranted since you using AWS and you have little control over the VM's they run and their behind the scenes "fabric" controller could for fail safe and redundancy issues be running multiple copies of your server. So, adopt SQL based session management.
HttpContext.Current.Session["myvariable"]
Related
We have an asp.net Core application (that is running under .net Framework 4.8) which is deployed withing IIS on a Windows Server 2016 box. This application uses asp.net Core identity framework for roles based access.
Everything works great but when we update the "Site Bindings" (by way of an example config change) within IIS all the connected users get logged out upin the next page request, perhaps the cookie/sessions being reset?!
Whilst this might be the behaviour you expect this was not the behavious we had on a previous "identical" installation which was lost (all data was backed up etc etc but the server host died and we lost the exact settings).
I remember reading a while back (but can't find it now) that the session should actually persist as this allows for load-balancing (which we don't need).
Nothing has changed in the code base for this to now not work so this suggests it's an IIS setting.
Does anyone have a magic change we can make for the connections to persists and our users not to be sent back to the logon page on the asp.net core app?
Thanks.
Jim.
*** update ***
Changing the "Identity" property of the Appl pool entry to System Account seems to allow me to change bindings without the (app pool?) reset.
Somewhat annoyingly, this appears to be the only setting that doesnt reset the user sesions when changing the binding. The obv downside of using this are the security considerations which rule it out!
Anyone with a plan c?
I am completely lost trying to figure this out. It has been going on for months. Session values just get lost. I check for Session["uid"] on master page to force user to login page.
System : Windows Server 2008 R2 Enterprise
IIS 7.5
.Net Framework 4.5 specified in web config
Application pool .Net Framework V4.0
Application pool Timeout set to standard 1740
Not a Web Farm.
Session In web config:
<sessionState timeout="60" mode="StateServer"></sessionState>
I changed the mode to StateServer thinking it is App pool random recycling causing it loose session
I check this post:
Losing Session State
I tested it myself. On a page where is loads countries and then cities based on country selection (updatepanel)... randomly it would just route me to login page on country change. And this is no delay in between change. Change, change, change... and then session["uid"] lost.
I read up on how IIS manages sessions:
https://abhijitjana.net/2010/03/14/beginner%E2%80%99s-guide-how-iis-process-asp-net-request/
can't seem to find answer there.
then i started getting errors like application pool max reached.
Then i set worker processes to 25, and it says it now a Web Garden.
Then i thought let me read up on Web Garden. According to this post it is a bad thing and should not be used ?
https://serverfault.com/questions/81689/web-gardens-are-they-good-or-bad-or-what
I just did the worker process increase today so i can't say if that will help, but i also dont want to leave that in place if it going to cause me other headaches.
My web site is non MVC, but i added an API controller to it. Not sure if this would be the issue for the session lost or app pool maxing out.
API not my biggest concern as we plan to move it to it's own MVC project.
But for now , my concern is the random session being lost.
I'm not sure it being lost. My code simply check if (Session["uid"] == null) go to login page.
I come from PHP / Apache history and never had any issues with Sessions.
Basic structure the same between c# masterpages and PHP template
I don't have any issues on localhost or dev server enviroment.
It's just when on live server that has a couple of other sites on this happens.
I don't think the other site will influence my site? THis is what application pooling prevents?
I have a web application with private/protected methods or private/protected variables
First I would like to know when a web-server has a connection established already for a certain web application and then receives a new connection does it run a new instance of the web application for this new connection and thus re-initializing all the variables in that web application just like on a computer?
I have goggled the Internet and I am terribly confused!
Second I am using the visual studio development server and I have learned that it doesn't accept connections from other computers, I have gotten around this by using a port forwarding software. So the question is, By doing this does VS2010 web-server see each different requests as a new request or same request since am forwarding them from an app on the local computer?
Finally if I have a web application open on one browser and then decide to open it on another browser and keep the current browser open is this treated as a new request or a post-back?
The app domain is constant (can be recycled) and is created only on the first request (also can be set before that).
That is to say all the static variables are initialized only once
but all the not static classes on which your request depends are initialized on every request.
So basically all your pages in normal asp.net and all the controllers in asp.net MVC are initialized on every request.
read more about it here http://www.codeproject.com/Articles/73728/ASP-NET-Application-and-Page-Life-Cycle
*note - the image has been take from the article referred above
Its a little more complicated than that. The process is optimised for mutiple connections and is stateless, however cashing can be used to imporve scalabilty: That which does not need to be reprocessed can simply be reused: http://www.dotnetfunda.com/articles/article821-beginners-guide-how-iis-process-aspnet-request.aspx is a good place to start understanding what can go on http://msdn.microsoft.com/en-us/library/bb470252%28v=vs.100%29.aspx is a somewhat dryer ms version "iis asp page life cycle" is a good google
The web application instance handles many many requests. And shared state (cache etc) is used very effectively across those requests, whether for a single session or multiple concurrent sessions.
When a request is made, the request object (and any "page" / "controller" object) is created for that request. The state of this object is fresh, but systems like "session state", "view state", cookies, and request values can be used to repopulate it - sometimes largely automated.
A single user making separate requests is not a post-back. They are separate sessions, but even a single session that opens the same page twice (tabs, etc) is not a post-back. It mainly depends on the http verb and other evidences to determine a post-back.
You've got to read this great article: https://lowleveldesign.org/2011/07/20/global-asax-in-asp-net/ for your question. Though it's a little late, it may help others out.
In code, we're referencing "athirdpartydomain.com"
Page.Response.Redirect("www.athirdpartydomain.com");
However, the owners of "athirdpartydomain.com" have decided to change their domain. This will involved a fairly considerable amount of work for us eventually, and they're letting the domain go completely.
We will of course change it in time, but I'm wondering if there's a quicker way to do this. Like changing something on the server to make sure all requests to "athirdpartydomain.com" all go to "theirnewdomain.com"
Considering you're using .NET, I can imagine you're also using IIS and, so, you can do this using IIS Redirects. NB, this will only work if you're hosting www.athirdpartydomain.com and have access to the IIS on that server.
You can learn how to do this here: http://support.microsoft.com/kb/313074
In .net you can't do that, but yes you can do that using cpanel of that domain.
You have to open that domain with admin login.
and you have to set "a name" or "a point" to particular server where you wants to redirect to site when some one browse the site this will redirect to particular site without load of that site.
We are planning to move one of our applications on cloud, but somewhere I read that using session in cloud can be dangerous. but this blog dosen't explain any danger as such.
I wanted to know that is there really any threat in using session for cloud applications?
I am new to the forum so excuse if I have commited any mistake and please guide me to correct the same.
If you plan to run your application across several nodes, you will need to take load balancing and out-of-proc sessions into account, but there's nothing inherently insecure about using sessions while your servers are hosted somewhere else.
That just doesn't make any sense.
If 'dangerous' means that in certain situations the use of Session won't work, then you're right if you would be using Azure to host your cloud application. Then it depends on the number of instances you are running.
If you're only running 1 instance then you can use Session (that lives in memory on the instance) without changing anything. But if you're using more than 1 instance (the requests are being load balanced and each request can be handled at a different instance) in memory Session won't work out of the box. To resolve this you're able to use 3 different ways to store session.
See this question for more information:
ASP.NET session state provider in Azure