Last post Apr 01, 2016 08:32 PM by ltaylor
Apr 01, 2016 06:22 PM|ltaylor|LINK
I'm having an issue with a web site that is running a combination of classic ASP, ASP.NET web forms, ASP.NET MVC5, and WebAPI 2. This is targeting the .NET 4.6 framework.
We are losing ASP.NET session state between requests in a very predictable manner. If you log into our site, and then log out, it triggers Session.Abandon(). A new session is then created when you navigate to the login page, although we are not generating
a new session ID. The Session_Start event is triggered, and some initial values are populated. I've validated that they exist in the session and the end of the Session_Start event and remain there until the end of that request. Afterwards, we navigate to
another page that utilizes ASP.NET session. In the Application_PostAcquireRequestState event handler, the session is empty - the values added in Session_Start are missing.
The Session_End event handler was not fired between these requests so I have no reason to believe that the session is expiring for some reason. The application pool is not recycling. No code is calling Session.Clear(), Session.Abandon(), or the like in
between these calls (having stepped through requests by putting breakpoints in the Application_PostAcquireRequestState handler, I can be certain that there are in fact no ASP.NET requests being processed between the loading of the login page that triggered
the session start event and the requset that is encountering the problem.
Some additional information -
We have another code branch that this is based off of that is also on .NET 4.6, and has the Classic ASP, ASP.NET Web Forms, and WebAPI 2, but not MVC. The only other framework difference is that we changed our DI container library from Ninject (base branch)
to Autofac (new branch containing problem). Aside from that, all changes are in our application functionality. The base branch IS NOT experiencing this issue.
We are using the InProc session model. Cookies for session identification (as mentioned above when deleting the session cookie).
Also, when I say "log out", I don't mean that in the expected sense. Our site is actually running in anonymous authentication mode ()
and has a simple prompt for a username and password that populates some session variables. There isn't an authentication framework in place and none of the usual security mechanisms are there. The only thing that causes a log out is the call to Session.Abandon()
when a user clicks the log out button. (Yes, I know this is horribly flawed...this is very old code that I'm inheriting and I'm working on it.)
What am I missing? Is there something I'm not checking? Is there a known bug that I'm not aware of?
Apr 01, 2016 08:08 PM|ltaylor|LINK
Some more information:
have a value in this context...). This is the request that is triggering the Session_Start - but it appears that since the request isn't actually mapping to an ASP.NET page, it's not continuing through the pipeline and thus never reaching the Application_ReleaseRequestState
handler, which is preventing the session state from being saved.
The thing that seems to be different between our base branch and our problematic one is that the base branch is then firing Session_Start again on the next request (the one after the one to "undefined", even though Session_End wasn't called, whereas our
new one is not. What could be causing this difference? Is there something unique to MVC or some config change I may have inadvertently made that is resulting in this?
Apr 01, 2016 08:32 PM|ltaylor|LINK
I figured it out. The MVC routing system was picking up the /undefined requests, which triggered the .NET pipeline. This wasn't happening in the base branch since MVC routing wasn't configured. (Our Web API routes are set up in such a way that they wouldn't
catch the /undefined request.) I added an IgnoreRoute call to our route config and this prevented the ASP.NET pipeline from firing. (Of course, I'm going to fix the /undefined links now as well.)