Session["User"] is lost sometimes in ASP.NET application

Question

In my login page, User enters his username and password. If credentials are valid, then I "save" this user in Session variable.

On every page, In Page_Load event, I am checking his rights. If session of saved user is null, then application redirects him on the login page. In most cases user is not null, but sometimes the session is lost during use of application.

My login.aspx.cs:

protected void btn_logIn_Click(object sender, EventArgs e)
{
      string username =  txt_user.Text;
      string pass= txt_pass.Text;
      if (checkUser(username ,pass)==true)
      {
          User loggedIn=new User();
          loggedIn=GetUser(username);
          Session["user"]=loggedIn;
          Response.Redirect("page.aspx",false);
      }
 }

protected void Page_Load(object sender, EventArgs e)
{
      User loggedIn=(User)Session["user"];
      if (loggedIn=!null)
      {
           Response.Redirect("Index.aspx",false);
      }

 }

Every other .aspx.cs:

protected void Page_Load(object sender, EventArgs e)
{
      User loggedIn=(User)Session["user"];
      if (loggedIn==null)
      {
           Response.Redirect("login.aspx",false);
      }
      else 
      {
           //Checking his rights...
      }
 }

Web.config

<sessionState mode="InProc" timeout="20"></sessionState>

BTW On localhost it works perfect. After i publish app, this happens.

EDIT: With further testing, I see strange results. For example, when my user is returned to login page, becase "he is not" in session, he can get back to Entry page (see login.aspx.cs, why is that), after few times of pressing F5 (refresh page).

What causes this problem? Looks like session data is still here, but not always, or what?

Thank you.

Do you write anything to web.config, or the bin folder? That will cause a restart of the webapp, clearing all sessions (diagnostic: every session will be gone at the same time). — Hans Keﬆing, May 26 '17 at 12:04
No, i do not. It works great on local host. Already checked IIS, nothing found. — tadej, May 26 '17 at 12:15
Check the web (IIS) log for time(s) in question, looking for dropped cookies or application restarts. — Mad Myche, May 26 '17 at 12:19
This comment has nothing to do with your problem, but you should look into Forms Authentication - https://msdn.microsoft.com/en-us/library/7t6b43z4.aspx — Matt M, May 26 '17 at 12:24
Can you please increase the 'Idle Time-out' value to the desired length in IIS? Try again... — Dipak Delvadiya, May 26 '17 at 12:25

score 1 · Answer 1 · edited Oct 03 '18 at 15:34

1

Because you have set

sessionState mode="InProc" timeout="20"

in the Web.config which means that Session will be useless after 20 miniutes.

This is a good method to enhance the safety of you web sites.

edited Oct 03 '18 at 15:34

Liam

27,717
28
128
190

answered May 26 '17 at 11:52

William H

11
2

1

It's also useless after an application pool recycle. (`InProc`.) – ta.speot.is May 26 '17 at 11:52
Session is lost sometimes after 1 minute for example. This is not a problem. – tadej May 26 '17 at 11:54

Session["User"] is lost sometimes in ASP.NET application

1 Answers1