ASP.NET Sessions

Rashid

Guppy
Hi,

I am using cookies on my site but I am thinking of using session If users have problem with cookies. Wanted to ask few things.

1- Are session safe?

2- How I control session expiration? Session.timeout? if yes How I make it for particular session like session("username") to expire after 30 min if user not requesting any page?

3- Session are unique? Means session("username") = "Test" will be unique for all users as I will move there username between pages?

Thanks
 
Rashid,

Keep in mind that sessions use cookies to store the session id, unless you set cookieless="true" in the web.config file. Then the session id is added to the URL. So if your url was www.mysite.com/mypage.aspx, it becomes www.mysite.com/sessionid/mypage.aspx. ASP.NET handles adding the session id to the url whenever a user requests your normal url.

I don't think sessions are entirely safe. But one person would have to know (or guess) the session id of another person.

The timeout is controlled from the web.config file under the sessionState section. You can also dom something like Session.Timeout = 30 in your code.

Session variables are unique per session (strangely enough!). Each user is given a session id which stays the same until they leave the site (or it expires). When you say session["username"] = "user1", the value "user1" is stored against the session id of that user. No two users will have the same session id at the same time, so that "user1" value is not available to any other user.

http://www.aspfree.com/c/a/ASP.NET/Application-and-Session-Objects-in-ASP.NET/ explains sessions in ASP.NET further. There are many more articles available on the web.

Regards,
Watson
 
Watson said:
Rashid,

Keep in mind that sessions use cookies to store the session id, unless you set cookieless="true" in the web.config file. Then the session id is added to the URL. So if your url was www.mysite.com/mypage.aspx, it becomes www.mysite.com/sessionid/mypage.aspx. ASP.NET handles adding the session id to the url whenever a user requests your normal url.

I don't think sessions are entirely safe. But one person would have to know (or guess) the session id of another person.

The timeout is controlled from the web.config file under the sessionState section. You can also dom something like Session.Timeout = 30 in your code.

Session variables are unique per session (strangely enough!). Each user is given a session id which stays the same until they leave the site (or it expires). When you say session["username"] = "user1", the value "user1" is stored against the session id of that user. No two users will have the same session id at the same time, so that "user1" value is not available to any other user.

http://www.aspfree.com/c/a/ASP.NET/Application-and-Session-Objects-in-ASP.NET/ explains sessions in ASP.NET further. There are many more articles available on the web.

Regards,
Watson

Thanks for the reply

So you are talking about this in web.config

<sessionState mode="InProc" stateConnectionString="tcpip=127.0.0.1:42424" sqlConnectionString="data source=127.0.0.1;user id=sa;password=" cookieless="false" timeout="20" />


I set timeout="20" to timeout="30" AND cookieless="false" to cookieless="true" Right?

What are these for?
sessionState mode="InProc"
stateConnectionString="tcpip=127.0.0.1:42424"
sqlConnectionString="data source=127.0.0.1;user id=sa;password="

Suppose it sessions are added to URL. How I reterive data from database? like
Session("username") = "U1"

U1 is verfied from database and stored in session as that I use username to get dataon pages? What the use of session in URL. Is it used against that username to get data from database?
 
Yes, set timeout to 30 and cookieless to true.

The "mode" tells IIS where to store the session values and can be changed to a couple of other settings. I don't know exactly what they are. I think "InProc" basically means the session values are stored in memory on the IIS server. It can be changed to SQL so that the values are stored in a database. This is useful if you had load-balanced (multiple) servers. You couldn't store the values in memory on the IIS server, as the user may be served by a second or third server next time they request a page. That server wouldn't have access to the memory on the first server. Storing them in a database provides a central area that all servers could access. On shared hosting we don't have that problem though, as our site is only served up by one server.

I don't know what you mean about retrieving data from a database. Sessions are for storing values you've already retrieved. You retrieve them from a database, then store them in a session variable (if you need to).

You store a value in a session variable by saying something like (in c#):
Session["username"] = "watson";

Then until your session timed out or the user left the site, Session["username"] would always equal "watson".

In order to know which Session["username"] belongs to which user (if you have 10 users on your site at once there will be 10 session["username"]'s available at once), IIS gives each user a SessionID. This will be something like "zlsvosmqxtrmhb55b1sq4vmu"

Using "cookieless" sessions, your URL would then read http://www.mysite.com/zlsvosmqxtrmhb55b1sq4vmu/mypage.aspx

When you request Session["username"], IIS looks up the username for the sessionID "zlsvosmqxtrmhb55b1sq4vmu". Without this ID it would have no way of knowing which user is which.

If you don't use "cookieless" sessions, this sessionID has to be stored in a cookie on the client end. When you try to retrieve a value stored in a session variable, IIS requests the sessionID from the cookie, then looks up the "username" value for that sessionID.

This is probably getting confusing. I'll stop there for now.
 
LegalAlien said:
Don't use sessions EVER! Sorry Subspace. Beat you to it! :p

There is one circumstance where one might want to use sessions: It's 3:00AM, your tired, you just want to see the application run before you go to bed, and you know you are going to get up the next morning and revise the application to remove the session code. :)

riley
 
riley said:
There is one circumstance where one might want to use sessions: It's 3:00AM, your tired, you just want to see the application run before you go to bed, and you know you are going to get up the next morning and revise the application to remove the session code. :)

From my experience, sessions are ok for use in Intranet based systems. I don't use them on the web though.
 
Hello, I 've some problems connected with randomly Session expiration. All setting in web -config file are OK.
Have anyone ideas what is a reason of such behavior?

AlexanderM
 
I've seen this happen if the client accesses the internet through a proxy server requiring authentication. When they are prompted for their credentials by the proxy server, the session is reset.

Other than that, I can't think of any other reason. Most likely something on the client end causing it. Have you tried cookieless sessions just to see if the problem stops?

Watson.
 
In reply to Mag604, I responded to the same question on another post but I've cut and pasted my response below....

There is definitely a problem with sessions being dropped on the JodoHost Win servers when using dotnet. It has nothing to do with spyware! It may not be all their servers but there is definitely an issue. Let me guess, the session drops randomly? Sometimes in one minute, other times it takes ten minutes? This is actually a common problem with shared servers using IIS6. "touching" a web.config or machine.config will cause the AppDomain (new to IIS6) to recycle. Recycling an appDomain will drop Application, Cache and yes, in-process sessions. This happens because this information is now stored in the appDomain logical process!

I noticed there was a post from the Windows Admin --- Is your server running IIS6? If so looking into application pooling and appDomain regarding session drops.

- Michael Cyrid, MCSD, Microsoft Certified Partner


Mag604 said:
Hello, I 've some problems connected with randomly Session expiration. All setting in web -config file are OK.
Have anyone ideas what is a reason of such behavior?

AlexanderM
 
Again, no need to bump every topic with the same thing, this is handled on aper customer basis, and has been for over a year now.
 
Sorry, I only responded to two posts that were having similar issues because I thought my response would be useful.

Just to clarify, my posts were not ment as cracks on JH support. Other than the session thing, JodHost service and support has always been very good, immediate and painless.

Stephen said:
Again, no need to bump every topic with the same thing, this is handled on aper customer basis, and has been for over a year now.
 
I was mostly pointing out that we are already well aware of this and resolve it when needed by the customer :D
 
Hey,

I had this exact same problem about an year ago and this is because your asp.net application is running in the same application pool as other asp.net applications.

Typically, many asp.net applications are grouped together into pools and well good old Win2K3 has a bug in how it handles sessions.

Imagine this: App A and App B are running in the same pool. App A expires a session, App B is automatically affected by App A's operations. This is why mysteriously sessions expire and not only that, it is random and dependant on all the applications on that pool.

The solution is to create an application pool w/ just your application. The drawback in this approach is that each pool takes about 5 MB of RAM (may be more, not sure).

Hope it helps.
 
Back
Top