6

I've implemented a challenge-response scheme as an Ajax handler. For some reason it stopped working after working fine for a couple months. Investigating the issue showed that Context.Session[KEY] had lost its value between the challenge and the response calls.

I put Session_Start and Session_End (and a few other) methods in Global.asax.cs with some logging there and I see a new Session_Start event being fired with the same session ID and there was no Session_End event

Question is: why does IIS lose the session values?

Update: I tried switching to SQLServer sessions but there was no change in behavior. On rare occasions sessions work as intended, not sure why. I tried all "session losing variables" troubleshooting guides I could find to no effect

UPDATE 2: I narrowed down the issue to a missing session cookie, but modifying my.browsers config didn't resolve the issue after several attempts. When I call the ajax handler from a browser the session cookie "ASP.NetSessionId" shows up as expected. I changed the cookie name in IIS settings for both the site and the server to "SessionId" but I kept seeing ASP.NET, even after restarting the server. I would still like to give the bounty to someone who has an idea what's going on. In the meanwhile I worked around this problem by setting a session cookie in code.

Pseudo code for Login.ashx:

string login = GetParameter("login", context);
string passhash = GetParameter("pass", context);
string challenge = "" + Context.Session["CHALLENGE"];
if (!string.IsNullOrEmpty(challenge))
{
  // this is the 'response' part
  string challengeResponse = Crypto.GetChallengeResponse(Challenge, UserFromDB.PassHash);
  if (challengeResponse == passhash)
  {
    // Great success, challenge matches the response
    Log.I("Success");
    return "SUCCESS";
  }
  else
  {
    Log.W("Failed to respond");
    return "FAILED TO RESPOND";
  }
}
else
{
  // if passed login or session-stored challenge are empty - issue a new challenge
  challenge = "Challenge: "+ Crypto.GetRandomToken();
  Context.Session["CHALLENGE"]  = challenge;
  Log.I("Sent Challenge"); // this is what's in the log below
  return challenge;
}

Here's the log, Session started appears with each call, Session.Keys.Count stays 0 even though Session["CHALLENGE"] should have been set:

// This is the challenge request:
[] **Session started**: sr4m4o11tckwc21kjryxp22i Keys: 0  AppDomain: /LM/W3SVC/1/ROOT-4-130081332618313933 #44 
[] Processing: <sv> **MYWEBSITE/ajax/Login.ashx** SID=sr4m4o11tckwc21kjryxp22i  
[] Sent Challenge @Login.ashx.cs-80 

// this is the response, note that there's another Session started with the same id
// and the session didn't keep the value ["CHALLENGE"], there are no session-end events either
[] **Session started**: sr4m4o11tckwc21kjryxp22i Keys: 0  AppDomain: /LM/W3SVC/1/ROOT-4-130081332625333945 #93  
[] Processing: <sv> **MYWEBSITE/ajax/Login.ashx?login=MYLOGIN&pass=RuhQr1vjKg_CDFw3JoSYTsiW0V0L9K6k6==**
[] Sent Challenge @Login.ashx.cs-80 >Session: sr4m4o11tckwc21kjryxp22i

web config, sanitized

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <configSections> 
    <!-- For more information on Entity Framework configuration, visit http://go.microsoft.com/fwlink/?LinkID=237468 -->
    <section name="entityFramework" type="System.Data.Entity.Internal.ConfigFile.EntityFrameworkSection, EntityFramework, Version=4.4.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" requirePermission="false" />
  </configSections>
  <appSettings>
    <add key="IncludeStackTraceInErrors" value="false" />
  </appSettings>
  <connectionStrings>
    <add name="ApplicationServices" connectionString="data source=.\SQLEXPRESS;Integrated Security=SSPI;AttachDBFilename=|DataDirectory|\aspnetdb.mdf;User Instance=true" providerName="System.Data.SqlClient" />
    <add name="MYConnection" connectionString="metadata=res://*…. and a bunch of other stuff that works" providerName="System.Data.EntityClient" />
  </connectionStrings> 
   <system.web>
    <compilation targetFramework="4.5">
      <assemblies>
        <add assembly="System.Data.Entity, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
      </assemblies>
    </compilation>
    <authentication mode="Forms">
      <forms loginUrl="~/Account/Login.aspx" timeout="2880" />
    </authentication>
    <membership>
      <providers>
        <clear/>
        <add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="ApplicationServices" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" applicationName="/" />
      </providers>
    </membership>
    <profile>
      <providers>
        <clear/>
        <add name="AspNetSqlProfileProvider" type="System.Web.Profile.SqlProfileProvider" connectionStringName="ApplicationServices" applicationName="/" />
      </providers>
    </profile>
    <roleManager enabled="false">
      <providers>
        <clear/>
        <add name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider" connectionStringName="ApplicationServices" applicationName="/" />
        <add name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" applicationName="/" />
      </providers>
    </roleManager>
    <pages controlRenderingCompatibilityVersion="4.0" />
  </system.web>
  <system.webServer>
    <modules runAllManagedModulesForAllRequests="true" />
  </system.webServer>
  <entityFramework>
    <defaultConnectionFactory type="System.Data.Entity.Infrastructure.SqlConnectionFactory, EntityFramework" />
  </entityFramework>
</configuration>
Sten Petrov
  • 10,943
  • 1
  • 41
  • 61
  • Can we see your web.config settings – Element Mar 22 '13 at 01:07
  • @Element added to the post – Sten Petrov Mar 22 '13 at 01:13
  • Have you inspected the request/response in a browser debug tool like Firebug? Any [invalid image sources](http://stackoverflow.com/questions/12623691/session-variable-value-changes-between-page-processing-somehow?rq=1)? – Sumo Mar 22 '13 at 01:45
  • @Sumo the client is an iOS app, no firebug there. There are only service calls (*.ashx), no html pages on the server whatsoever. The session cookie survives between calls as evident by logs – Sten Petrov Mar 22 '13 at 02:00
  • An issue with the [detected user agent](http://stackoverflow.com/questions/4158550/problem-with-asp-net-forms-authentication-when-using-iphone-uiwebview) that indicates cookies aren't supported? – Sumo Mar 22 '13 at 02:50
  • @Sumo tried the suggested .browser file fix but no effect. tried with and without setting a user agent in the app. – Sten Petrov Mar 22 '13 at 03:22
  • Have you tried cookieless session? http://msdn.microsoft.com/en-us/library/aa479315.aspx – Simon Mourier Mar 22 '13 at 15:38
  • Where exactly does `Context` come from? Is it a property you populate with `context` from `public void ProcessRequest(HttpContext context)`? – Linus Caldwell Mar 23 '13 at 12:21
  • i assume your app pool is recycled after 5 exceptions. change that in your app pool configuration and check if the problem is still there. – NickD Mar 26 '13 at 20:29
  • @Snoopy exceptions are handled on every step, there's AppDomain.Unhandled handler as well, if there are exceptions I don't see them. Any suggestions what else I can do to find out if exceptions are causing this? The issue happens between two calls, both of which seem to work end-to-end – Sten Petrov Mar 26 '13 at 20:38
  • maybe the apppool gets recycled because a file is changed in the site directory. – NickD Mar 28 '13 at 21:01
  • @Snoopy I looked for that, even though I have no explicit code to do that at one time I turned everything off just to make sure and the problem persisted. I narrowed it down to the session cookie not being sent to the client – Sten Petrov Mar 28 '13 at 21:09
  • use a sample page and check with this client and see if you get the same problem. – NickD Mar 28 '13 at 21:11

3 Answers3

0

What is the default value for Idle Time-out ? If the app pool times out your session goes bye bye

See Application Pool (Advanced Settings) -> Idle Time-out

I think it defaults to five minutes.

See this link for advice on setting the idle timeout

You could also experience your issue if your running as a webgarden when it's not needed; look at Maximum Worker Processes, try setting it to 1 and retest

Paul Zahra
  • 9,522
  • 8
  • 54
  • 76
  • What happens is within .5 seconds - request challenge token, send response. Timeout is 20 minutes. I'll check the max workers later tonight but I believe it to be 5 and it was working like that for a while – Sten Petrov Mar 22 '13 at 16:28
  • Have you read http://stackoverflow.com/questions/5118236/sessions-in-asynchronous-design ? – Paul Zahra Mar 28 '13 at 09:09
0

I can see you are using handler for that purpose which would always return null. You need to implement IReadOnlySessionState. Check out http://www.hanselman.com/blog/GettingSessionStateInHttpHandlersASHXFiles.aspx

AdnanQ
  • 85
  • 6
  • I'm already doing that. Context.Session is always null if you don't put the interface in the class def – Sten Petrov Mar 26 '13 at 14:54
  • @StenPetrov have you tried IRequiresSessionState instead of IReadOnlySessionState ? – jbl Mar 27 '13 at 14:09
  • IRequiresSessionState is what's used, IReadOnlySessionState was something I tried very early on. Session cookie should work with either – Sten Petrov Mar 27 '13 at 14:24
0

Add IRequiresSessionState to your handler implimentation

ex

public class handler_name:IHttpHandler, IRequiresSessionState

Ajay Peter
  • 153
  • 4