Asp MVC session lost after RedirectToAction

Question

I have a MVC4 web application which works perfect on my local machine when I run it in Visual Studio.

So I publish the website to a server to go live with my application. But when I try to login my application goes to the following code:

[HttpPost]
public ActionResult CheckLogin(LoginViewModel vm)
{
     if (!String.IsNullOrWhiteSpace(vm.UserName) && !String.IsNullOrWhiteSpace(vm.Password))
     {
           User u = ... 
           // Get user from database with credentials

           System.Web.HttpContext.Current.Session.Add("UserIdSession", u.Id);
           return RedirectToAction("Validate", "Overview");
     }
     else
     {
         // process the error that the login failed
     }
}

The redirect goes to the following Action:

    [HttpGet]
    public ActionResult Validate()
    {
        if (HttpContext.Current.Session["UserIdSession"] != null)
        {
            return View();
        }
        else
        {
             return RedirectToAction("Index", "Login");
        }
    }

But the problem is that the session variable does not exists and it always send me back to the loginscreen

I've found that doing a redirect after setting a session is causing this behaviour, but I couldn't find an answer to solve this issue...

So I have some questions about it:

Why does it work on my local machine and not on a server?
Can I modify server settings to work this way that i'm intented to do? Does it recycle stuff after a redirect?
Can I reproduce this behaviour on my local machine like it would on the server with some settings?
There must be an easy way to solve this or am i wrong? Do i really need to store session variables in a database or something like that?

NEVER EVER EVER EVER EVER user session for authentication purposes... don't do it. it's highly insecure, and unreliable (IIS can kill session whenever it feels like). ASP.NET provides an authentication mechanism (several actually), Use them. FormsAuthentication for MVC4. — Erik Funkenbusch, Apr 03 '15 at 14:17

pjobs · Answer 1 · 2015-04-03T14:24:27.743

1

Do you have clustered servers with load balancing, if yes, then you may want to enable sticky session on it, so that all requests from one session goes to the same server.

if you have Server Clustering Answers :

1) When you store the session in memeory, you want to make sure all requests goes to the same server otherwise you would get this error on server, but not local.

2) If you just enable sticky session on server this error might go away.

3) If the error is because of clustering then you cannot reproduce it on local.

4) If you cannot enable sticky session on loadbalancer, then you may either have to store the session to a file accessible to all clustered servers or store it in the db.

edited Apr 03 '15 at 14:24

answered Apr 03 '15 at 14:13

pjobs

1,247
12
14

1

The first part of your answer is a question to OP, which should be a comment. Given OP didn't answer the question, the second part of your answer is a guess, which should also be a comment. Only answer when the problem is clear, use comments otherwise. – CodeCaster Apr 03 '15 at 14:16
1

@CodeCaster - While I agree that asking questions should be a comment, you can certain answer based on a hypothesis.. such as "If you are doing xxxx then do this", it's an answer, and even if it isn't a good answer for this question, it might answer other peoples questions who find this question as part of their search and the qualification of what it applies to helps. – Erik Funkenbusch Apr 03 '15 at 14:20
@Erik sure, but _"why is my session lost on my IIS cluster with load balancing"_ is a very specific question, that has already been answered, which this isn't. I hate duplication and don't like guessing. The correct flow would be (apart from OP doing their own research): 1. A comment _"Do you use load balancing? Which session storage do you use?"_ 2. An answer by OP: _"Why yes, I do! It uses SQL."_ 3. A duplicate close vote with a link to [Losing Session State with ASP.NET/SQL Server](http://stackoverflow.com/questions/10555000/losing-session-state-with-asp-net-sql-server). – CodeCaster Apr 03 '15 at 14:24
@CodeCaster - I agree, in a perfect q/a world.. a lot of times, the asker doesn't come back to the question for several days though... regardless, this is just one of the reasons I think the workflow of SO needs a rethink.. but that's a different argument. – Erik Funkenbusch Apr 03 '15 at 15:21

Asp MVC session lost after RedirectToAction

1 Answers1