61

I have an ASP.net application where Users aren't able to successfully complete certain actions, for reasons, I'm assuming, can only be related to losing their session (which is where I maintain their current user information, and how determine whether they are logged in)

I'm at a loss as to why they would lose their session, so my first question is:

What (in general) would cause a user to lose their session in ASP.net?

and since I don't know when a user loses their session and can't reproduce it myself:

How can I track when I user loses their session

Below is my sessionState config for reference

<sessionState
           mode="InProc"
           cookieless="false"
           cookieName="My.Site.Com"
           timeout="480"/>
Adam Ritenauer
  • 3,151
  • 4
  • 33
  • 40
  • 7
    You could be thinking too hard. You stated that you are "assuming" that the session is being lost. It is possible that this is a wild goose chase. Perhaps you might be better analyzing the exception you are receiving and take that into consideration. Other possibilities include issues with using a web farm or cluster. Since the session mode is "InProc", if connections change servers on you, the session state will be lost. – Russ Aug 18 '10 at 19:53
  • I know I'm not using a web farm for sure I am on a virtual machine though. I am, admittedly, only assuming, but I'm about 80% sure it's session state, and at the very least I'd like to keep assuming its an issue until I can rule it out. – Adam Ritenauer Aug 18 '10 at 20:22
  • 1
    For me it worked to add a machine key to my web.config. I host on a shared hosting and this link assist in creating one local and then publish it. [link](https://blogs.msdn.microsoft.com/amb/2012/07/31/easiest-way-to-generate-machinekey/) – Riaan Swart Apr 06 '17 at 11:29

11 Answers11

112

A number of things can cause session state to mysteriously disappear.

  1. Your sessionState timeout has expired
  2. You update your web.config or other file type that causes your AppDomain to recycle
  3. Your AppPool in IIS recycles
  4. You update your site with a lot of files, and ASP.NET proactively destroys your AppDomain to recompile and preserve memory.

-

If you are using IIS 7 or 7.5, here are a few things to look for:

  1. By default, IIS sets AppPools to turn themselves off after a period of inactivity.
  2. By default, IIS sets AppPools to recycle every 1740 minutes (obviously depending on your root configuration, but that's the default)
  3. In IIS, check out the "Advanced Settings" of your AppPool. In there is a property called "Idle Time-out". Set that to zero or to a higher number than the default (20).
  4. In IIS, check the "Recycling" settings of your AppPool. Here you can enable or disable your AppPool from recycling. The 2nd page of the wizard is a way to log to the Event Log each type of AppPool shut down.

If you are using IIS 6, the same settings apply (for the most part but with different ways of getting to them), however getting them to log the recycles is more of a pain. Here is a link to a way to get IIS 6 to log AppPool recycle events:

http://web.archive.org/web/20100803114054/http://surrealization.com/sample-code/getnotifiedwhenapppoolrecycles/

-

If you are updating files on your web app, you should expect all session to be lost. That's just the nature of the beast. However, you might not expect it to happen multiple times. If you update 15 or more files (aspx, dll, etc), there is a likelyhood that you will have multiple restarts over a period of time as these pages are recompiled by users accessing the site. See these two links:

http://support.microsoft.com/kb/319947

http://msdn.microsoft.com/en-us/library/system.web.configuration.compilationsection.numrecompilesbeforeapprestart.aspx

Setting the numCompilesBeforeAppRestart to a higher number (or manually bouncing your AppPool) will eliminate this issue.

-

You can always handle Application_SessionStart and Application_SessionEnd to be notified when a session is created or ended. The HttpSessionState class also has an IsNewSession property you can check on any page request to determine if a new session is created for the active user.

-

Finally, if it's possible in your circumstance, I have used the SQL Server session mode with good success. It's not recommended if you are storing a large amount of data in it (every request loads and saves the full amount of data from SQL Server) and it can be a pain if you are putting custom objects in it (as they have to be serializable), but it has helped me in a shared hosting scenario where I couldn't configure my AppPool to not recycle couple hours. In my case, I stored limited information and it had no adverse performance effect. Add to this the fact that an existing user will reuse their SessionID by default and my users never noticed the fact that their in-memory Session was dropped by an AppPool recycle because all their state was stored in SQL Server.

Adam Sills
  • 16,896
  • 6
  • 51
  • 56
  • Wow... quite an exhaustive list, thank you! You listed out everything that could happen on the server side, is there anything that could happen that would hinder IIS's ability to identify a request and match it with the propper session? – Adam Ritenauer Aug 18 '10 at 21:08
  • Yes but they're much less likely. Someone else mentioned here a proxy could be trashing the session cookie, although any modern proxy would not likely do this (because all modern web dev environments use session cookies). I've been through this recently on a single web application a couple of times - first it was AppPool recycles, then it was page updates (caused by > 15 pages in an update). – Adam Sills Aug 18 '10 at 23:45
  • How I can configure IIS on server (not my local pc)? – Mazdak Shojaie Mar 23 '14 at 14:55
  • Just was working on an older asp.net application and it was the "20 minute default". – JonH Oct 12 '15 at 13:10
  • Even current IIS defaults to 20 minutes. @JonH – Adam Sills Oct 12 '15 at 17:00
  • @AdamSills - I really thought I solved it but apparently not. My issue is much stranger. Values on my form disappear after around 20 minutes of inactivity. The session state is not lost...but if in code behind I do something like `string text = MyDropDownlist.SelectedValue;` the drop down list is empty / null. This happens to any asp.net control. I already checked the advanced setting of the application pool and modified it to 60 minutes just for a sanity check. I dont know what to look for or even what to google... – JonH Oct 12 '15 at 17:39
  • Tip: `IsNewSession` will remain true until you actually add something into the session. Just mentioning this because it's a nasty bug to assume it means `IsFirstRequest` - which it doesn't. – Simon_Weaver Feb 25 '17 at 09:57
5

I was having a situation in ASP.NET 4.0 where my session would be reset on every page request (and my SESSION_START code would run on each page request). This didn't happen to every user for every session, but it usually happened, and when it did, it would happen on each page request.

My web.config sessionState tag had the same setting as the one mentioned above.

cookieless="false"

When I changed it to the following...

cookieless="UseCookies"

... the problem seemed to go away. Apparently true|false were old choices from ASP.NET 1. Starting in ASP.Net 2.0, the enumerated choices started being available. I guess these options were deprecated. The "false" value has never presented a problem in the past - I've only noticed in on ASP.NET 4.0. I don't know if something has changed in 4.0 that no longer supports it correctly.

Also, I just found this out not long ago. Since the problem was intermittent before, I suppose I could still encounter it, but so far it's working with this new setting.

Rick
  • 51
  • 1
  • 1
3

Your session is lost becoz....

JUST MAKE SURE THERE ARE NO RUNTIME ERRORS, ANY FATAL EXCEPTION WOULD KILL THE SESSION!

In Microsoft stack, Visual Studio - put Ctrl + Alt + E - All Exceptions ON, then run the code in Debugging mode. Any Fatal ones are THE reason for session loss..

HydTechie
  • 797
  • 10
  • 17
  • +1 .Very interesting. We had exact same issue. A unhandled error while writing to a text file caused the session to get wiped out! In the writing to text file module, there was no code to touch the session! – S Nash Oct 27 '17 at 19:19
2

In my case setting AppPool->AdvancedSettings->Maximum Worker Proccesses to 1 helped.

Michael
  • 368
  • 3
  • 7
0

You could add some logging to the Global.asax in Session_Start and Application_Start to track what's going on with the user's Session and the Application as a whole.

Also, watch out of you're running in Web Farm mode (multiple IIS threads defined in the application pool) or load balancing because the user can end up hitting a different server that does not have the same memory. If this is the case, you can switch the Session mode to SQL Server.

Jemes
  • 2,822
  • 21
  • 22
  • 4
    Web Farm wouldn't be multiple worker processes for the app pool. That would be a Web Garden. A web farm would span multiple servers. – Jeff Reddy May 24 '12 at 20:40
0

I was only losing the session which was not a string or integer but a datarow. Putting the data in a serializable object and saving that into the session worked for me.

Gert R.
  • 1
  • 1
0

Had a problem on IIS 8 when retrieving Content via Ajax. The issue was that MaximumWorkerProcesses was set to 2 and Javascript opened 17 concurrent requests. That was more than the AppPool could handle and a new pool (without auth-data) was opened.

Solution was to Change MaximumWorkerProcesses to 0 in IIS -> Server -> Application Pools -> [myPool] -> Advanced Settings -> Process Model -> MaximumWorkerProcesses.

Martin Seitl
  • 628
  • 10
  • 19
0

Dont know is it related to your problem or not BUT Windows 2008 Server R2 or SP2 has changed its IIS settings, which leads to issue in session persistence. By default, it manages separate session variable for HTTP and HTTPS. When variables are set in HTTPS, these will be available only on HTTPS pages whenever switched.

To solve the issue, there is IIS setting. In IIS Manager, open up the ASP properties, expand Session Properties, and change New ID On Secure Connection to False.

SRK - Khurram
  • 11
  • 2
0

I had same problem by losing sessions. every time , every page reload, my sessions clear and by new reload any page, my sessions returned by valid value...

i fixed it by change MaximumWorkerProcesses from 0 to 1 in iis

user3150241
  • 31
  • 8
0

I was struggling with this issue for 14 days.

Here's what helped me:

  1. Check your recycling options in App Pool > Advanced settings. Turn off all of the options so it won't recycle on its own.
  2. Check your web.config file for the executionTimeout property under httpRuntime and increase its value.
  3. Check your web.config file for the timeout property under sessionState and increase its value (I set it to 300 minutes).
  4. Go to the server's event log and check the Application log for unhandled exceptions that may cause the worker process to crash. Fix them in your code or use try and catch to eliminate this crash.
  5. Try changing the value of your maximum worker process from 0 to 1 or the other way around, this may also solve this issue.
Koby Douek
  • 16,156
  • 19
  • 74
  • 103
0

In my case, session state was loosing due to Load Balancer. Session was storing in one server and Load balancer was redirecting next call to another server where session state was missing.

Aalisha Gehlot
  • 41
  • 4