2

I have been faced with this problem for months and I have read almost all I can about this and implemented most solutions but still nothing has changed. I don't know where I am making my mistake.

I am using a custom SessionManager class to get/set values into Session easily in my ASP.net CMS websites' admin panels. When the user logins I store user data to the Session then read in Admin.master page to check if the user is logged in. On different servers and also on localhost, the SessionManager.CurrentUser value is null at random times, sometimes 2 minutes sometimes 20 minutes after login, whether the page is idle or not. All my websites have the same problem.

My SessionManager.cs is 

public class SessionManager
{
    public SessionManager() { }

    public static User CurrentUser
    {
        get { return (User)HttpContext.Current.Session["crntUsr"]; }
        set { HttpContext.Current.Session["crntUsr"] = value; }
    }

    public static string CurrentAdminLanguage
    {
        get
        {
            if (HttpContext.Current.Session["crntLang"] == null) HttpContext.Current.Session["crntLang"] = SiteSettings.DefaultLanguage;
            return HttpContext.Current.Session["crntLang"].ToString();
        }
        set
        {
            HttpContext.Current.Session["crntLang"] = value;
        }
    }
}

Note: User class is [Serializable]

In Admin.master Page_Load

if (SessionManager.CurrentUser == null) Response.Redirect("../login");

In web.config

    <system.web>
         <sessionState mode="InProc" customProvider="DefaultSessionProvider" cookieless="UseCookies" regenerateExpiredSessionId="true" timeout="60"/>
         <machineKey validationKey="CC0...F80" decryptionKey="8BF...1B5" validation="SHA1" decryption="AES"/>
         <authentication mode="Forms">
             <forms loginUrl="~/login" timeout="60" slidingExpiration="true" cookieless="UseCookies" />
         </authentication>

    <system.webServer>
        <modules>
            <remove name="Session"/>
            <add name="Session" type="System.Web.SessionState.SessionStateModule"/>
        </modules>

I really have no more ideas to solve this issue. Please help :(

Jeff B
  • 8,572
  • 17
  • 61
  • 140
Selim Özbudak
  • 149
  • 2
  • 8
  • try my solution here: http://stackoverflow.com/questions/24868515/session-manager-will-not-log-me-out-when-session-expires-httpcontext-current-is/24967167?noredirect=1#comment38817947_24967167 – Khanh TO Jul 27 '14 at 02:15

3 Answers3

0

Have you checked your application pool recycling timeout? That's a common issue for session "disappearing" prior than expected. Check in IIS

LittleSweetSeas
  • 6,786
  • 2
  • 21
  • 26
  • I've checked it again. AppPool timeout, Forms timeout and sessionstate timeout are all the same value 60. Now, it seems that i am not having problem but still not sure if it is OK or not. – Selim Özbudak Dec 06 '13 at 16:24
  • For one of my websites I ve contacted to the hosting company and they said that it is not possible to change this recycle timeout for every website so I should buy a VDS server. Is it possible to configure application pool recycle timeout for each website or not? – Selim Özbudak Dec 06 '13 at 16:53
  • If you're under a hosting, you have little chances. Anything (internal or external) that could cause an app pool recycle would break your sessions. So u should pass to another type of session management (eg. on DB) as suggested in other answers – LittleSweetSeas Dec 06 '13 at 16:55
  • OK. I'll try to move to SqlServer mode unless I get a server. I wonder how big applications manage such tooo many sessions? – Selim Özbudak Dec 06 '13 at 17:01
0

If you have problems, you could set up SQL Server for handling the session, which will persist it if the AppPool is recycled, or the server is rebooted.

For more information: http://support.microsoft.com/kb/317604

cederlof
  • 7,206
  • 4
  • 45
  • 62
  • That's so wierd that InProc is not working properly, if I can fix this issue everything is going to be alright. I think InProc should be enough to fulfil the needs. I have implemented my CMS for a couple of projects so your suggestion will be my last chance. Thanks anyway. – Selim Özbudak Dec 06 '13 at 15:07
  • There could be many reasons for this problem. Read this for AppPool recycling: http://petesbloggerama.blogspot.se/2007/10/losing-aspnet-sessions-why-application.html – cederlof Dec 06 '13 at 15:12
  • I had this issue on localhost sometimes. Does ASP.Net Development Server also has an application recycle timeout? Maybe I'm facing this problem on localhost because of memory or process recylcing. – Selim Özbudak Dec 06 '13 at 16:36
0

Here is a sample web.config code. I don't like the regenerateExpiredSessionId in there and also it is a good practice to have your session timeout to be less than your forms timeout. How ever my advice is to carefully examine your session manager code so you can be sure that you don't reset it somehow. I can think of two thing you could do: 1. Make a test page to check when the session is empty or not and to see if you can at all set a session variable. Try to do a button click (or a ajax request) and set a session variable to keep the session alive every 1 minute or so to see if it expires again even if you keep it alive. If you don't use the Session it will expire. 2. Do some kind of logging. Every time you set a session variable do a DB log of the variable you have set. You could use the test page in 1 to see what exactly you have set in session for the current user.

<authentication mode="Forms">
  <forms name="Web-site.ASPXAUTH" loginUrl="~/admin/login.aspx" protection="All" timeout="60" path="/" requireSSL="false" slidingExpiration="true" cookieless="UseDeviceProfile" domain="" enableCrossAppRedirects="false" />
</authentication>
<sessionState timeout="60" mode="InProc" />
<membership defaultProvider="WebSiteMembershipProvider">
  <providers>
    <clear />
    <add name="WebSiteMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="DefaultConnStr" applicationName="web-site" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" requiresQuestionAndAnswer="false" enablePasswordReset="true" enablePasswordRetrieval="false" passwordFormat="Hashed" requiresUniqueEmail="false" />
  </providers>
</membership>
<roleManager defaultProvider="WebSiteRoleProvider" enabled="true" cacheRolesInCookie="true" cookieName="Web-Site.ASPXROLES" cookieTimeout="60" cookiePath="/" cookieRequireSSL="false" cookieSlidingExpiration="true" cookieProtection="All" createPersistentCookie="false" maxCachedResults="25">
  <providers>
    <clear />
    <add name="WebSiteRoleProvider" type="System.Web.Security.SqlRoleProvider" connectionStringName="DefaultConnStr" applicationName="web-site" />
  </providers>
</roleManager>
kms
  • 102
  • 1
  • 1
  • 8
  • I think WebSiteMembershipProvider is custom provider right? Logging the session is a good idea that I have already tried and see nothing spectecular. I think I'll move to SqlServer mode session to guarantee sessions. I dont know what kind of problems I'll have in that mode :( – Selim Özbudak Dec 06 '13 at 17:07