HttpContext.Current.Session is null when routing requests

Question

Without routing, HttpContext.Current.Session is there so I know that the StateServer is working. When I route my requests, HttpContext.Current.Session is null in the routed page. I am using .NET 3.5 sp1 on IIS 7.0, without the MVC previews. It appears that AcquireRequestState is never fired when using the routes and so the session variable isn't instantiated/filled.

When I try to access the Session variables, I get this error:

base {System.Runtime.InteropServices.ExternalException} = {"Session state can only be used when enableSessionState is set to true, either in a configuration file or in the Page directive. Please also make sure that System.Web.SessionStateModule or a custom session state module is included in the <configuration>.

While debugging, I also get the error that the HttpContext.Current.Session is not accessible in that context.

--

My web.config looks like this:

<configuration>
  ...
  <system.web>
    <pages enableSessionState="true">
      <controls>
        ...
      </controls>
    </pages>
    ...
  </system.web>
  <sessionState cookieless="AutoDetect" mode="StateServer" timeout="22" />
  ...
</configuration>

Here's the IRouteHandler implementation:

public class WebPageRouteHandler : IRouteHandler, IRequiresSessionState
{
    public string m_VirtualPath { get; private set; }
    public bool m_CheckPhysicalUrlAccess { get; set; }

    public WebPageRouteHandler(string virtualPath) : this(virtualPath, false)
    {
    }
    public WebPageRouteHandler(string virtualPath, bool checkPhysicalUrlAccess)
    {
        m_VirtualPath = virtualPath;
        m_CheckPhysicalUrlAccess = checkPhysicalUrlAccess;
    }

    public IHttpHandler GetHttpHandler(RequestContext requestContext)
    {
        if (m_CheckPhysicalUrlAccess
            && !UrlAuthorizationModule.CheckUrlAccessForPrincipal(
                   m_VirtualPath,
                   requestContext.HttpContext.User,
                   requestContext.HttpContext.Request.HttpMethod))
        {
            throw new SecurityException();
        }

        string var = String.Empty;
        foreach (var value in requestContext.RouteData.Values)
        {
            requestContext.HttpContext.Items[value.Key] = value.Value;
        }

        Page page = BuildManager.CreateInstanceFromVirtualPath(
                        m_VirtualPath, 
                        typeof(Page)) as Page;// IHttpHandler;

        if (page != null)
        {
            return page;
        }
        return page;
    }
}

I've also tried to put EnableSessionState="True" on the top of the aspx pages but still, nothing.

Any insights? Should I write another HttpRequestHandler that implements IRequiresSessionState?

Thanks.

Loki · Accepted Answer · 2009-02-10T09:19:56.677

54

Got it. Quite stupid, actually. It worked after I removed & added the SessionStateModule like so:

<configuration>
  ...
  <system.webServer>
    ...
    <modules>
      <remove name="Session" />
      <add name="Session" type="System.Web.SessionState.SessionStateModule"/>
      ...
    </modules>
  </system.webServer>
</configuration>

Simply adding it won't work since "Session" should have already been defined in the machine.config.

Now, I wonder if that is the usual thing to do. It surely doesn't seem so since it seems so crude...

edited Feb 10 '09 at 09:19

answered Oct 21 '08 at 09:01

Loki

1,159
1
9
11

3

Thanks for this. It solved my problem nicely - as it turns out, the production server needed it but not the dev machine. – Raithlin Feb 03 '10 at 07:42
2

That's ins@ne! Thanks. This fixed my "TempData" (mvc razor) values from disappearing as well (since TempData uses Session). Holy Moly. – granadaCoder Aug 10 '15 at 20:44
I have the issue of TempData values disappearing, but this didn't solve it. – Dinei Aug 27 '15 at 19:54
Just fixed my TempData's issue. I had to change `sessionState` on web.config to use `StateServer` instead of the default `InProc`. – Dinei Aug 27 '15 at 21:10

score 25 · Answer 2 · edited Nov 17 '11 at 10:48

25

Just add attribute runAllManagedModulesForAllRequests="true" to system.webServer\modules in web.config.

This attribute is enabled by default in MVC and Dynamic Data projects.

edited Nov 17 '11 at 10:48

Tim Schmelter

450,073
74
686
939

answered Dec 19 '08 at 15:46

gandjustas

1,925
14
12

2

Awesome! this is the answer i was after .. much better than the accepted one. – Pure.Krome May 20 '10 at 04:41
8

Read some shanselman to know why rammfar can be bad for your (server's) health: http://www.hanselman.com/blog/BackToBasicsDynamicImageGenerationASPNETControllersRoutingIHttpHandlersAndRunAllManagedModulesForAllRequests.aspx – Peter Apr 13 '12 at 06:30

score 16 · Answer 3 · edited Jun 21 '11 at 18:16

16

runAllManagedModulesForAllRequests=true is actually a real bad solution. This increased the load time of my application by 200%. The better solution is to manually remove and add the session object and to avoid the run all managed modules attribute all together.

edited Jun 21 '11 at 18:16

Balanivash

6,709
9
32
48

answered Jun 21 '11 at 17:00

Frankie Rodriguez

161
1
2

score 11 · Answer 4 · edited Feb 13 '19 at 16:53

11

None of these solutions worked for me. I added the following method into global.asax.cs then Session was not null:

protected void Application_PostAuthorizeRequest()
{
    HttpContext.Current.SetSessionStateBehavior(SessionStateBehavior.Required);
}

edited Feb 13 '19 at 16:53

Eric Aya

69,473
35
181
253

answered Sep 22 '17 at 14:50

ViqMontana

5,090
3
19
54

And why does this help? :^) – user2173353 Jul 05 '19 at 09:24
1

@user2173353 For me, this helped because I was trying to access SessionState in an object during a web.api request. I assume it did not previously work because the SessionState was not included in the HttpContext of that specific kind of request. – jaybro Dec 16 '20 at 16:35
1

@jaybro Yes, I know that too now, after some investigation I did. WebAPI has session state disabled by default and you need to enable it yourself if you wan to use it. However, if you don't use it as `ReadOnly`, the user requests will not get executed in parallel, because each request of the same user locks the session state dictionary to prevent race conditions. I tried having different `SessionStateBehavior` per endpoint, to only use `Required` when needed, but the framework worked against me. – user2173353 Dec 17 '20 at 13:03

score 3 · Answer 5 · answered Oct 20 '08 at 11:30

3

What @Bogdan Maxim said. Or change to use InProc if you're not using an external sesssion state server.

<sessionState mode="InProc" timeout="20" cookieless="AutoDetect" />

Look here for more info on the SessionState directive.

answered Oct 20 '08 at 11:30

tvanfosson

524,688
99
697
795

SessionState works if I access the page normally. If I use routing, HttpContext.Current.Session is null. The section seems to be working in the config. – Loki Oct 20 '08 at 11:41

score 3 · Answer 6 · answered Dec 13 '08 at 02:44

Nice job! I've been having the exact same problem. Adding and removing the Session module worked perfectly for me too. It didn't however bring back by HttpContext.Current.User so I tried your little trick with the FormsAuth module and sure enough, that did it.

<remove name="FormsAuthentication" />
<add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule"/>

score 0 · Answer 7 · answered Oct 07 '12 at 20:27

0

I was missing a reference to System.web.mvc dll in the session adapter, and adding the same fixed the issue.

Hopefully it will help someone else going through same scenario.

answered Oct 07 '12 at 20:27

Mandeep Janjua

15,583
4
29
24

What does this mean? What are the steps to do this? – paulwhit Oct 16 '14 at 02:30
Sorry, I could not understand your question. What steps are you talking about? I added a reference to "System.web.mvc dll" by right clicking on references on mvc project inside visual studio – Mandeep Janjua Oct 19 '14 at 00:19

score 0 · Answer 8 · answered Oct 20 '08 at 11:10

0

It seems that you have forgotten to add your state server address in the config file.

 <sessionstate mode="StateServer" timeout="20" server="127.0.0.1" port="42424" />

answered Oct 20 '08 at 11:10

Bogdan Maxim

5,866
3
23
34

1

Tried it but still the same. It shouldn't really matter w/ its default value:"tcpip=loopback:42424"(http://msdn.microsoft.com/en-us/library/system.web.configuration.sessionstatesection.stateconnectionstring.aspx) I doubt the problem is in the Session provider since it works without the routing. – Loki Oct 20 '08 at 11:32

Loki · Answer 9 · 2008-10-20T11:43:08.450

0

The config section seems sound as it works if when pages are accessed normally. I've tried the other configurations suggested but the problem is still there.

I doubt the problem is in the Session provider since it works without the routing.

edited Oct 20 '08 at 11:43

answered Oct 20 '08 at 11:29

Loki

1,159
1
9
11

score 0 · Answer 10 · answered Oct 20 '08 at 13:59

0

I think this part of code make changes to the context.

 Page page = BuildManager.CreateInstanceFromVirtualPath(
                        m_VirtualPath, 
                        typeof(Page)) as Page;// IHttpHandler;

Also this part of code is useless:

 if (page != null)
 {
     return page;
 }
 return page;

It will always return the page wither it's null or not.

answered Oct 20 '08 at 13:59

mohammedn

2,926
3
23
30

Thanks for reminding me. That was some vestigial code after trying out so many things. :D – Loki Oct 21 '08 at 09:03

score -1 · Answer 11 · answered Oct 28 '09 at 17:55

-1

a better solution is

runAllManagedModulesForAllRequest is a clever thing to do respect removing and resinserting session module.

alk.

answered Oct 28 '09 at 17:55

Alkampfer

1,359
12
27

Please, read this to understand why this is not a clever solution: https://www.hanselman.com/blog/back-to-basics-dynamic-image-generation-aspnet-controllers-routing-ihttphandlers-and-runallmanagedmodulesforallrequests – Fabricio Nov 19 '20 at 19:06

HttpContext.Current.Session is null when routing requests

11 Answers11

Linked