Apr 01, 2016 06:22 PM|ltaylor|LINK
I'm having an issue with a web site that is running a combination of classic ASP, ASP.NET web forms, ASP.NET MVC5, and WebAPI 2. This is targeting the .NET 4.6 framework.
We are losing ASP.NET session state between requests in a very predictable manner. If you log into our site, and then log out, it triggers Session.Abandon(). A new session is then created when you navigate to the login page, although we are not generating
a new session ID. The Session_Start event is triggered, and some initial values are populated. I've validated that they exist in the session and the end of the Session_Start event and remain there until the end of that request. Afterwards, we navigate to
another page that utilizes ASP.NET session. In the Application_PostAcquireRequestState event handler, the session is empty - the values added in Session_Start are missing.
The Session_End event handler was not fired between these requests so I have no reason to believe that the session is expiring for some reason. The application pool is not recycling. No code is calling Session.Clear(), Session.Abandon(), or the like in
between these calls (having stepped through requests by putting breakpoints in the Application_PostAcquireRequestState handler, I can be certain that there are in fact no ASP.NET requests being processed between the loading of the login page that triggered
the session start event and the requset that is encountering the problem.
Some additional information -
We have another code branch that this is based off of that is also on .NET 4.6, and has the Classic ASP, ASP.NET Web Forms, and WebAPI 2, but not MVC. The only other framework difference is that we changed our DI container library from Ninject (base branch)
to Autofac (new branch containing problem). Aside from that, all changes are in our application functionality. The base branch IS NOT experiencing this issue.
We are using the InProc session model. Cookies for session identification (as mentioned above when deleting the session cookie).
Also, when I say "log out", I don't mean that in the expected sense. Our site is actually running in anonymous authentication mode ()
and has a simple prompt for a username and password that populates some session variables. There isn't an authentication framework in place and none of the usual security mechanisms are there. The only thing that causes a log out is the call to Session.Abandon()
when a user clicks the log out button. (Yes, I know this is horribly flawed...this is very old code that I'm inheriting and I'm working on it.)
What am I missing? Is there something I'm not checking? Is there a known bug that I'm not aware of?