7

I moved an ASP.NET site running on a server with .NET 1.1 to another server running with .NET 2.0.

In one of the pages I have the following code to detect an expired session:

  protected void Page_Init(object sender, System.EventArgs e) {  

    if ( Session["XBCPEmail"] == null ) {
      Response.Redirect("signin.aspx?expired=yes");
      return;
    }
  }

(Session["XBCPEmail"] == null) is resolving as true (as if the session had expired) in one unexpected case, after clicking one of the buttons of the page. It happens with only one of the buttons. Just like other buttons in the same page, the button event handler ends with this code redirecting to the same page:

Response.Redirect("cpanel.aspx");

I checked and at the time of Response.Redirect("cpanel.aspx"); the value of (string)Session["XBCPEmail"] is a valid string, so I'm not sure what can happen between the Response.Redirect and the Page_Init that could be making the Session["XBCPEmail"] become null.

Which could make a Session variable in .NET 2.0 become null? This code does not have that issue in 1.1 and, even in 2.0, it only affects one button on the page.

UPDATE: The issue only occurs if the button event handler calls an external .exe program, with the code below. If this code is commented out, the Session variable is not null. How can the creation of an external process to run a command line program have any impact on if a Session variable is null or not?

private string CallBridge3(string task, string arg1, string arg2, string arg3) {

    Process process = new Process();

    process.StartInfo.FileName = MapPath("bridgefcp.exe");
    process.StartInfo.Arguments = "-" + task + " \"" + arg1 + "\" \"" + arg2 + "\" \"" + arg3 + "\"";
    process.StartInfo.RedirectStandardOutput = true;
    process.StartInfo.UseShellExecute = false;

    process.Start();

    string output = process.StandardOutput.ReadToEnd();
    process.WaitForExit();
    return output;
  }

UPDATE 2: The problem has vanished after installing .NET 4.5 on the Windows 2008 R2 with IIS 7.5 machine, instead of using the one that came by default, which was .NET 2.0.

Improve this question

9 Answers 9

Reset to default
12

By default Response.Redirect terminates thread execution and there might be a race conditions in setting session variables. It is described in article Don't redirect after setting a Session variable (or do it right), so try to use another, less violent version:

Response.Redirect("cpanel.aspx", false);
Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

You should pretty much always give false as the second parameter to Response.Redirect.
Adding a second parameter with false does not seem to fix the issue. One difference between this button and other working buttons is that before the Response.Redirect, an external process is created a couple times to run an .exe file. I have just added some additional code at the end of the original question to show this code.
I tracked down the issue and it occurs if and only if a call to CallBridge3 takes place at least once during the event handler. How can Session information be affected at postback if an external process is created and waited for?
That's really interesting. I even tried to reproduce that, but unsuccessfully. Is this happening to all your Session values, or only XBCPEmail? How is your Session State configured in web.config? When do you set XBCPEmail value? And is there any place where you are setting it to null?
The problem has disappeared when installing .NET 4.5 (instead of using the .NET 2.0 that came with Windows 2008 R3 with IIS 7.5
|
12

Check your web.config, maybe you have this tag

<httpCookies requireSSL="true" />

If it so, remove it.

Improve this answer

3 Comments

Why would that element cause problems? I need it to put the secure flag on ASP.NET session cookies.
I had a problem with losing session, but it was on mi local machine. On server everything worked fine. Removing this nod helped me.
I have found that having this element will only cause Session data loss, when the requested pages are not requested over https (hence the "require SSL"). I believe I read that internally, there is an Assert(Request.IsSecure) before the Session cookie is set.
2

You need to update web.config as mention below :

<httpCookies requireSSL="false" />
Improve this answer

Comments

2

I was facing the same issue and tried every option mentioned in the above answers. Finally found that the issue was that we had marked session cookie as secure in our project but were running it with http If the server has not been setup for SSL and you try to mark the cookie secure, a new session will be generated for each request. So finally enabling back https fixed it for me.

Improve this answer

Comments

1

I believe your session in the web.config is being reset (getting a new SessionID for each postback)

You could try to debug this by putting the SessionID somewhere on the page (for testing) with 

HttpContext.Current.Session.SessionID

This did happen on one of my websites and all i had to do was go into IIS and resave the SessionState Panel

Improve this answer

2 Comments

Curiously, the value of HttpContext.Current.Session.SessionID is the same, before clicking the button and also at Page_Init, when Session["XBCPEmail"] is null.
This was the answer locally not on the server I was having issues with my sessionid resetting after each post back it was caused by having <httpCookies requireSSL="true"/> in my web.config settings. This was a requirement for PCI compliance on the server it was only effecting me locally.
1

Just go to your web.config file and edit your sessionstate tag. Set requiressl to false from true.

Improve this answer

Comments

1

I encountered this problem when setting the Session variable before a redirect. I had enableSessionState="ReadOnly" in Web.config. It happens because the session does not exists and the redirect happens before the client can set the session cookie.

My solution was to set a dummy Session variable in the previous page load (login page in my case).

protected void Page_Load(object sender, EventArgs e)
{
    // Put this in master page or login page
    Session["createSession"] = true; /* ensure there's a cookie for session */
}
Improve this answer

Comments

1 
<httpCookies requireSSL="false" />

Removing this from the local web.config worked for me. The issue was only happening when running the app locally.

  • Removed the setting from web.config
  • Added it to the web.staging.config and web.production.config
Improve this answer

Comments

1

For MVC, make sure the web.config has below configuration.

<httpCookies httpOnlyCookies="true" requireSSL="false" />

in <system.web> section

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.