How Does Session Handling Work / Sessions Eat Up All Memory If Cookies Are Disabled
Oct 28, 2010
In my project I have configured .NET's sessions to go into database.
I also have a global.asax which implements Session_Start().
In Session_Start() I write three things to the session:
The time the session started.
The user's host address.
A serializable device object wrapping the user's agent.
The problem is now that users which don't allow cookies won't allow session cookies either.
(Easily reproducable by putting the site URL to the restricted sites of IE).
If I keep on refreshing (put finger on F5) a new session is created for every request (-> no session cookie). Shortly, the web server process grows to some hundred megabytes.
It does not matter if you use IIS7 or Cassini Local Webserver.
The issue is now: the memory does not get released until the sessions time out. What is the logic here if sessions should really go to database? How long will .NET keep them in memory? Eventually, you'll even get Out Of Memory exceptions!
Anybody know? How to detect and prevent such (almost malicious) "attacks"?
My site uses cookies. I need to have it use sessions instead. The reason for this is because there is a third party that needs to connect to it, and it's always requiring 3rd party cookies to be enable in the browser and that is annoying my customers. Is there any other way around this other than switching to sessions?
Background: From a desktop application, users will navigate to an SSL-encrypted web portal where they will have to enter a username / password if it's their first time logging in. I want to be able to securely persist their user session. I was thinking of using encrypted cookies, storing their username and a unique session token / key, but was wondering what benefits client certificates offered in terms of security.
The way I see understand it currently:
Encrypted cookies:
Saved on the user's machine just like any other cookie Since the entire site is SSL, the contents of the cookie cnnot be tampered withEasily implementableWhen a user logs in again, invalidate the token / key and issue a new one
Problems:
Anyone attempting to access the web portal on the computer with a saved session will be able to, but this is a problem with any persisted session, right?
How do I know that computer A is computer A and not just computer B that copied computer A's cookie?
Client Certificates:
A pain in the ass to install Will uniquely identify that person's computer (or can it be restricted to the user account) to the web portal If the client certificate is stolen, then the account is compromised
Question: For persisting user sessions with the utmost security, would encrypted cookies be sufficient or would I need to install client certificates? How do they differ?
The document http://msdn.microsoft.com/en-us/library/ms178581.aspx states the following about expired sessions:Regenerating Expired Session Identifiers By default,the session ID values that are used in cookieless sessions are recycled.That is,if a request is made with a session ID that has expired, a new session is started by using the SessionID value that is supplied with the request.This can result in a session unintentionally being shared when a link that contains a cookieless SessionID value is used by multiple browsers.As you can see it talks about "cookieless sessions" but,what is the behavior for sessions based on cookies? Does it apply to .NET Framework 3.5?
If I disable javascript and cookies, [URL] detects that cookies are disabled without a redirect. If you click the cart link, there's only a get on the cart page.
I'm guessing [URL] is most likely not using ASP.NET, but how would you accomplish detecting disabled cookies using ASP.NET without the use of javascript and redirecting? Is it possible to detect if cookies are disabled in one round trip?
if cookies are disabled at the clients enviorment, what should we use to store the global data or the sessional data, for example now i use APPLICATION["VarName"]=Value;
To store the data, how is it different from
SESSION["VarName"]=Value;
Also if both dont work when cookies disabled , what is the best approach to store the global data
I have inherited an ASP.NET 3.5 application that relies heavily on sessions and storing DataTables within them (I know - bad, bad, bad). The application pool on the remote shared hosting service indicated that memory is at full capacity and as a result customers are losing their shopping carts because of dropped sessions.
Ultimately the goal is to rewrite this code, but for the time being I would like to stabilize the site the best I can. The host has recommended I use SQL Server Session State instead of in-proc. I have no experience with this, so I'm hoping it's as simple as running the .sql against the database to configure SQL Server and updating the web.config.
I have just added the following to the very last page of my application.
[Code]....
And then i have this on each of the pages before the last, within my Page_load:
[Code]....
I have different sessions thruout the application process, but this one session is only set at the beginning of the process and once i kill it on the last page, any attempt to hit Back or trying to access any page directly without first starting, i need to force them to the beginning, what am i missing or doing wrong?
sessID is set on page 1 and is available until you get to the last page. Where i added the Session.Abandon(); Now if i get to the last page and hit back before the refresh occurs, im able to go back, but the page comes up with null reference for other sessions that are obvisously cleared / killed with the abandon. So i should have to check for each session should i? I mean if the abandon killed them all, then checking for the main session should be enough right?
im trying to set up a session for UserID which is contained in the User table along with username and password. Im unsure how to get the UserID based on the username and password in my sqlsyntax then pass it to my session? My last peace of code is just a test in a label to see if it will pass the number to the label.
I have health monitoring enabled on a production system (asp.net webforms .net 4) and I see that there's a lot of errors being sent to me indicating that a session variable has been lost.(I am trying to attach something out of session state to a entity framework data context and get a "Value cannot be null, parameter n ame entity" error). So somehow the session variable now contains null and not an object. Interestingly we have the same application deployed on two separate servers - one DMZ server for external users and one internal server for internal users. Both of these applications on two different servers seem to have the same problem.
Health Monitoring is also monitoring lifetime events and I can see from this that we do not have something like IIS recycling, config changes, changes to bin folder, recompilations etc, occuring. I've read this page: [URL] I can confirm that it's not a Response.Redirect problem because that's not happening - this is an online application form - it puts an object in session state on page_load and there's a multiview - when "next" is pressed, the object comes out of session state, is attached to the data context, changes are made from the web form and the datacontext updated. So there's no response.redirect happening.
I can also confirm the details in "Update 1" and "Update 2" from that link are not relevant to me - there is only 1 worker process running in the application pool and the server name or web address do not contain underscores. I also persued the possibility of session timeouts occuring but they should be handled by other code which is running to detect session timeouts (see: [URL]) which I have tested over and over - Part of the problem is I just cannot reproduce this error myself.......................
I have a page on which there is a parent organisation followed by a list of child organisations. To view the data of these child organisations, there is a GO button for each child organisation. I set the ID of the child organisation in a cookie on the click of the GO button. When I come back to the home page, I delete the cookie.
My problem is that in IE 8 the first time the GO button works fine. But when I come back to the home page and click on the GO button of the same child organisation, the ID is not set in the cookie.
This problem does not occur in Firefox at all.
This is the code in JavaScript where I set the cookie and then call my page.
function GetOrganisation(id, path) { $.get('<%=Url.Action("SetOrganisationID", "AdminSettings") %>', { 'Organisationid': id }, function (data) { if (data.Success) { $.get('<%=Url.Action("GetOrganisationDetails", "AdminSettings") %>', { 'Organisationid': id });
I want to use session object in my web app.I want to store some cookies too(Some custom informations) .How can i use both without the URL not being modified like [URL]
In my ASP.NET page,I am setting some session variable
Session["customerId"]="Some name";
Then i am trying to set some value in cookie
[code]....
In this page now i can access the sesion variable values,But when i m being Redirected to another asp.net page, I am not getting my session values there.Its seems like Its being lossed.
I have a weird situation here. Using VS2010 and the MVC2 application template, I'm trying to set up error handling, but it refuses to work... Even with a simple controller throwing an exception in the index:
[Code]....
And <customErrors mode ="On"></customErrors> in the web.config file, MVC breaks into the code and tells me that "Exception was unhandled by user code". The default Error.aspx (static text only) is located in /Views/Shared, and I've even removed the login partial view from the master page.
Am trying to design login page for my website and I am looking for methods other than forms authentication. The way in which I am trying is to have a table in the database that stores user information and check for the user validity.
The point where I get struck is how do i set cookies and session variables and how will I carry it through out the system. Can anyone tell/suggest me where I can relevant material so as to move forward. And also is my idea of negating traditional forms authentication and going for a model I described, is it good also does any other better method exist?
Im trying to retrieve a datatable that I put into a session variable, however when i do it apears that there are no columns... I have done this before in VB.NET, I'n now using C#, and it worked perfectly, and as far as i can see there is no change in the code other than the obvious syntax changes.
EDIT: The dt (in part 2) variable has the right data when i look in the data visulization window, but i have noticed that the other properties associated with a datatable are abscent. When i hover over a normal looking datatable with my mouse it looks like the following: " dt ----- {System.Data.DataTable}" but in the class im working on it just looks like "dt ----- {}". Also, after I return the session variable into the dt I clone it (dtclone = dt.clone(); ) and the clone is empty in the data visulizer.... what on earth!
EDIT 2: I have now also tried converting the first datatable to a dataset, putting this in the session variable, and recoverting it back to a datatable in the class. Am starting to wonder if it is a probelm with: dt.Load(sqlReader); The data does appear after this step though in the dataset visualiser, but not after being cloned. Code below.
1) SQL command in a webhandler, the results of which populate the datatable to be put into the session variable.
DataTable dt = new DataTable(); SqlDataReader sqlReader= default(SqlDataReader); SqlDataAdapter sqlAdapter = new SqlDataAdapter(); sqlReader = storedProc.ExecuteReader(CommandBehavior.CloseConnection); dt.Load(sqlReader); System.Web.HttpContext.Current.Session["ResultsTable"] = dt;
2) Part of the code in a class which performs calculations on the table:
