6

I'm having a very interesting, but frustrating issue. I have an MVC 4 site running with standard ASP.NET Authentication.

In and only in the combination of IE 10 on Windows 8, when I traverse my site and navigate to an http url from an https url (both on the same site), it is generating a different asp.net_sessionid value. In every other browser/OS combo I have tried, this does not appear to be an issue.

I have searched high and low and while I certainly have found people experiencing various authentication issues (usually regarding IIS7 not recognizing IE10 as a browser), I have not found anyone else claiming to have experienced this exact issue. More concerning, I published an 'out of the box' MVC template project and it has the same issue. I can't possibly be the only one who has run across this problem (so I hope).

Anyone else run into this? Or maybe even just have some suggestions?

Thanks

UPDATE

Okay, so there is one more important aspect. I am running this on a load balanced environment. If I push the apps to a single server and test, I have no issues.

tereško
  • 58,060
  • 25
  • 98
  • 150
Nick Weber
  • 271
  • 2
  • 6
  • 1
    possible duplicate of [how can I share an asp.net session between http and https](http://stackoverflow.com/questions/567535/how-can-i-share-an-asp-net-session-between-http-and-https) – Erik Funkenbusch Oct 15 '13 at 17:45
  • 3
    I don't know why it's working in other browsers, but it shouldn't be. Unless you configure session cookies to be secure, they will always be different between http and https. – Erik Funkenbusch Oct 15 '13 at 17:45
  • Yeah, good points, but my understanding was b/c I wasn't setting my cookie to 'secure=true' than the cookie ought to persist between https and http. Whether this is good practice or not, it is the desire of the client. – Nick Weber Oct 15 '13 at 17:50
  • 1
    ***load balanced environment*** - Where do you store session state - such as StateServer, SQLServer? – Win Oct 15 '13 at 18:05
  • 'In Process', but wouldn't that be a problem independent of browser? – Nick Weber Oct 15 '13 at 18:25

1 Answers1

1

You mention that you have had this problem in a load balanced environment, right? I assume you are using the default "In Proc" method of storing session data. If that is the case, then I think I know what could be happening. (for the sake of argument, I will assume 2 servers, but It doesn't really matter if you have more)

You are being sent to ServerA and a session is created. Because this is In Process ServerB has no idea about it. Eventually (and how that happens is a matter of how your load balancer is set up. Sticky session? Cookies? Round robin?) you will be sent to ServerB. Because that server had no idea you already have a session; a new one is created and you are given a new session ID.

So why is it happening under your exact repro steps? Well, my hunch is that given enough time and load, you would see it just navigating from /page1 to /page2. Again - this depends on how your load balancer is setup, but it could be that since you are changing protocol that triggers something and you are sent to the another server in the pool.

How can you fix it?
To start, make sure you have the same machine key in their machine.config. If you don't have access to that I think it will work in the web.config, but I haven't tried it.

Now, set up another way to store session state. In Sql Server perhaps or MySql or Postgres or wherever. If you have SQL Server that will be the easiest since the driver is built it, but if you have another datastore you will either need to build or find a library that will do it. I worked on a project where we used Postgres to store session state.

We used npgsql as the driver to conenct to the server, and built our own PgsqlSessionProvider:SessionStateStoreProviderBase and hooking it up is actually really easy

<sessionState mode="Custom" customProvider="PgsqlSessionProvider">
  <providers>
    <add name="PgsqlSessionProvider" type="My.namespace.PgsqlSessionStateStore" connectionStringName="connectionStringName" writeExceptionsToEventLog="true" />
  </providers>
</sessionState>