How Does Session Handling Work / Sessions Eat Up All Memory If Cookies Are Disabled

Oct 28, 2010

In my project I have configured .NET's sessions to go into database.

I also have a global.asax which implements Session_Start().

In Session_Start() I write three things to the session:

The time the session started.

The user's host address.

A serializable device object wrapping the user's agent.

The problem is now that users which don't allow cookies won't allow session cookies either.

(Easily reproducable by putting the site URL to the restricted sites of IE).

If I keep on refreshing (put finger on F5) a new session is created for every request (-> no session cookie). Shortly, the web server process grows to some hundred megabytes.

It does not matter if you use IIS7 or Cassini Local Webserver.

The issue is now: the memory does not get released until the sessions time out. What is the logic here if sessions should really go to database? How long will .NET keep them in memory? Eventually, you'll even get Out Of Memory exceptions!

Anybody know? How to detect and prevent such (almost malicious) "attacks"?

View 2 Replies


Similar Messages:

State Management :: How To Detect The Session Cookies Enabled/Disabled

Aug 10, 2010

using ASP.NET 2.0 VB.NET how to detect if the session cookies are enabled?

I know how to detect the cookies in general but you can set IE to block the cookies and accept the session cookies...How to detect this?

View 2 Replies

Site Uses Cookies - Need To Switch To Sessions

Nov 17, 2010

My site uses cookies. I need to have it use sessions instead. The reason for this is because there is a third party that needs to connect to it, and it's always requiring 3rd party cookies to be enable in the browser and that is annoying my customers. Is there any other way around this other than switching to sessions?

View 4 Replies

Saving Sessions In SSL Encrypted Cookies Vs. Client Certificates?

Dec 10, 2010

Background: From a desktop application, users will navigate to an SSL-encrypted web portal where they will have to enter a username / password if it's their first time logging in. I want to be able to securely persist their user session. I was thinking of using encrypted cookies, storing their username and a unique session token / key, but was wondering what benefits client certificates offered in terms of security.

The way I see understand it currently:

Encrypted cookies:

Saved on the user's machine just like any other cookie Since the entire site is SSL, the contents of the cookie cnnot be tampered withEasily implementableWhen a user logs in again, invalidate the token / key and issue a new one

Problems:

Anyone attempting to access the web portal on the computer with a saved session will be able to, but this is a problem with any persisted session, right?

How do I know that computer A is computer A and not just computer B that copied computer A's cookie?

Client Certificates:

A pain in the ass to install Will uniquely identify that person's computer (or can it be restricted to the user account) to the web portal If the client certificate is stolen, then the account is compromised

Question: For persisting user sessions with the utmost security, would encrypted cookies be sufficient or would I need to install client certificates? How do they differ?

View 1 Replies

State Management :: Behavior For Sessions On Cookies Can Apply To .NET Framework 3.5?

May 6, 2010

The document http://msdn.microsoft.com/en-us/library/ms178581.aspx states the following about expired sessions:Regenerating Expired Session Identifiers By default,the session ID values that are used in cookieless sessions are recycled.That is,if a request is made with a session ID that has expired, a new session is started by using the SessionID value that is supplied with the request.This can result in a session unintentionally being shared when a link that contains a cookieless SessionID value is used by multiple browsers.As you can see it talks about "cookieless sessions" but,what is the behavior for sessions based on cookies? Does it apply to .NET Framework 3.5?

View 2 Replies

Is It Possible To Detect If Cookies Are Disabled In One Round Trip

Aug 4, 2010

If I disable javascript and cookies, [URL] detects that cookies are disabled without a redirect. If you click the cart link, there's only a get on the cart page.

I'm guessing [URL] is most likely not using ASP.NET, but how would you accomplish detecting disabled cookies using ASP.NET without the use of javascript and redirecting? Is it possible to detect if cookies are disabled in one round trip?

View 4 Replies

State Management :: Cookies Are Disabled In Browser?

Mar 10, 2011

What will happen if cookies are disabled in my browser, will the session(sessionid and session variables) still be created?

View 2 Replies

Cookie Still Working When Browser Has Cookies Disabled?

Sep 2, 2011

It's weird, my firefox has cookies disabled, yet I am still able to retrieve the cookie.

Code:
protected void Page_Load(object sender, EventArgs e)
{
Response.Cookies["a"].Value = "1";
}
protected void Button1_Click(object sender, EventArgs e)
{
Label1.Text = Request.Cookies["a"].Value.ToString(); //it returns value
}

Why is this?

View 7 Replies

State Management :: Cookies Are Disabled At The Clients Environment?

Nov 24, 2010

if cookies are disabled at the clients enviorment, what should we use to store the global data or the sessional data, for example now i use APPLICATION["VarName"]=Value;

To store the data, how is it different from

SESSION["VarName"]=Value;

Also if both dont work when cookies disabled , what is the best approach to store the global data

View 3 Replies

Security :: Emulate The Effects Of User Cookies Being Disabled?

Jul 20, 2010

How can I emulate the effects of user cookies being disabled?

View 2 Replies

Can Use SQL Server Session State With Sessions That Contain DataTables

Feb 2, 2011

I have inherited an ASP.NET 3.5 application that relies heavily on sessions and storing DataTables within them (I know - bad, bad, bad). The application pool on the remote shared hosting service indicated that memory is at full capacity and as a result customers are losing their shopping carts because of dropped sessions.

Ultimately the goal is to rewrite this code, but for the time being I would like to stabilize the site the best I can. The host has recommended I use SQL Server Session State instead of in-proc. I have no experience with this, so I'm hoping it's as simple as running the .sql against the database to configure SQL Server and updating the web.config.

View 1 Replies

Setup Last Page To Clear Sessions Using Session.Abandon();

Mar 22, 2010

I have just added the following to the very last page of my application.

[Code]....

And then i have this on each of the pages before the last, within my Page_load:

[Code]....

I have different sessions thruout the application process, but this one session is only set at the beginning of the process and once i kill it on the last page, any attempt to hit Back or trying to access any page directly without first starting, i need to force them to the beginning, what am i missing or doing wrong?

sessID is set on page 1 and is available until you get to the last page. Where i added the Session.Abandon(); Now if i get to the last page and hit back before the refresh occurs, im able to go back, but the page comes up with null reference for other sessions that are obvisously cleared / killed with the abandon. So i should have to check for each session should i? I mean if the abandon killed them all, then checking for the main session should be enough right?

View 7 Replies

C# - Sessions And Sqlsyntax - How To Add A Session To A Login Authenticate Method

Mar 21, 2011

im trying to set up a session for UserID which is contained in the User table along with username and password. Im unsure how to get the UserID based on the username and password in my sqlsyntax then pass it to my session? My last peace of code is just a test in a label to see if it will pass the number to the label.

[code]....

View 1 Replies

Asp - Losing Session Variables - What Exception Might Cause Sessions To Be Lost

Oct 1, 2010

I have health monitoring enabled on a production system (asp.net webforms .net 4) and I see that there's a lot of errors being sent to me indicating that a session variable has been lost.(I am trying to attach something out of session state to a entity framework data context and get a "Value cannot be null, parameter n ame entity" error). So somehow the session variable now contains null and not an object. Interestingly we have the same application deployed on two separate servers - one DMZ server for external users and one internal server for internal users. Both of these applications on two different servers seem to have the same problem.

Health Monitoring is also monitoring lifetime events and I can see from this that we do not have something like IIS recycling, config changes, changes to bin folder, recompilations etc, occuring. I've read this page: [URL] I can confirm that it's not a Response.Redirect problem because that's not happening - this is an online application form - it puts an object in session state on page_load and there's a multiview - when "next" is pressed, the object comes out of session state, is attached to the data context, changes are made from the web form and the datacontext updated. So there's no response.redirect happening.

I can also confirm the details in "Update 1" and "Update 2" from that link are not relevant to me - there is only 1 worker process running in the application pool and the server name or web address do not contain underscores. I also persued the possibility of session timeouts occuring but they should be handled by other code which is running to detect session timeouts (see: [URL]) which I have tested over and over - Part of the problem is I just cannot reproduce this error myself.......................

View 1 Replies

MVC :: Cookies Don't Work Second Time In IE 8?

Nov 26, 2010

I have a page on which there is a parent organisation followed by a list of child organisations. To view the data of these child organisations, there is a GO button for each child organisation. I set the ID of the child organisation in a cookie on the click of the GO button. When I come back to the home page, I delete the cookie.

My problem is that in IE 8 the first time the GO button works fine. But when I come back to the home page and click on the GO button of the same child organisation, the ID is not set in the cookie.

This problem does not occur in Firefox at all.

This is the code in JavaScript where I set the cookie and then call my page.

function GetOrganisation(id, path) {
$.get('<%=Url.Action("SetOrganisationID", "AdminSettings") %>', { 'Organisationid': id }, function (data) {
if (data.Success) {
$.get('<%=Url.Action("GetOrganisationDetails", "AdminSettings") %>', { 'Organisationid': id });

[Code]....

View 1 Replies

Cookies Login Doesn't Work

Mar 24, 2011

I have a problem. I have done custom "Remember Me" functionality using cookies.

[code]....

I see the cookie in firecookies tools in the Firefox. It exists and has the correct expiration date.

But when I changed time - moved to next month. After that I entered to the site and I unlogged user.

View 1 Replies

Web Forms :: How To Work With Validation Controls If Javascript Disabled

Mar 24, 2011

if i turn off the java script in any browser will validation controls will work and if yes then how to work by disabling the java script

View 1 Replies

How To Use SESSION And Cookies Together

Feb 22, 2010

I want to use session object in my web app.I want to store some cookies too(Some custom informations) .How can i use both without the URL not being modified like [URL]

In my ASP.NET page,I am setting some session variable

Session["customerId"]="Some name";

Then i am trying to set some value in cookie

[code]....

In this page now i can access the sesion variable values,But when i m being Redirected to another asp.net page, I am not getting my session values there.Its seems like Its being lossed.

View 3 Replies

MVC :: Can't Get Exception Handling To Work?

Aug 3, 2010

I have a weird situation here. Using VS2010 and the MVC2 application template, I'm trying to set up error handling, but it refuses to work... Even with a simple controller throwing an exception in the index:

[Code]....

And <customErrors mode ="On"></customErrors> in the web.config file, MVC breaks into the code and tells me that "Exception was unhandled by user code". The default Error.aspx (static text only) is located in /Views/Shared, and I've even removed the login partial view from the master page.

View 2 Replies

How To Store Value In Session If In Browser Cookie Is Disabled

Dec 1, 2010

Can i still store value in session if in browser cookie is disabled?

View 2 Replies

How To Make Session To Not To Use Cookies

Nov 26, 2010

How to make session to not to use cookies

View 4 Replies

How To Set Cookies And Session Variables

Jan 27, 2010

Am trying to design login page for my website and I am looking for methods other than forms authentication. The way in which I am trying is to have a table in the database that stores user information and check for the user validity.

The point where I get struck is how do i set cookies and session variables and how will I carry it through out the system. Can anyone tell/suggest me where I can relevant material so as to move forward. And also is my idea of negating traditional forms authentication and going for a model I described, is it good also does any other better method exist?

View 1 Replies

Make Session, Not Use Cookies?

Jul 5, 2010

How can we make session, not use cookies ?

View 1 Replies

Are Session And Cookies The Same Thing

Sep 24, 2010

Since session and cookies are both used to store temporary data, what is the difference between them?

View 9 Replies

C# - DataTable From Session Memory Has No Columns

Jan 18, 2011

Im trying to retrieve a datatable that I put into a session variable, however when i do it apears that there are no columns... I have done this before in VB.NET, I'n now using C#, and it worked perfectly, and as far as i can see there is no change in the code other than the obvious syntax changes.

EDIT: The dt (in part 2) variable has the right data when i look in the data visulization window, but i have noticed that the other properties associated with a datatable are abscent. When i hover over a normal looking datatable with my mouse it looks like the following: " dt ----- {System.Data.DataTable}" but in the class im working on it just looks like "dt ----- {}". Also, after I return the session variable into the dt I clone it (dtclone = dt.clone(); ) and the clone is empty in the data visulizer.... what on earth!

EDIT 2: I have now also tried converting the first datatable to a dataset, putting this in the session variable, and recoverting it back to a datatable in the class. Am starting to wonder if it is a probelm with: dt.Load(sqlReader); The data does appear after this step though in the dataset visualiser, but not after being cloned. Code below.

1) SQL command in a webhandler, the results of which populate the datatable to be put into the session variable.

DataTable dt = new DataTable();
SqlDataReader sqlReader= default(SqlDataReader);
SqlDataAdapter sqlAdapter = new SqlDataAdapter();
sqlReader = storedProc.ExecuteReader(CommandBehavior.CloseConnection);
dt.Load(sqlReader);
System.Web.HttpContext.Current.Session["ResultsTable"] = dt;

2) Part of the code in a class which performs calculations on the table:

DataTable dt = (DataTable)HttpContext.Current.Session["ResultsTable"];

View 1 Replies







Copyrights 2005-15 www.BigResource.com, All rights reserved