Session variable lost - only with IIS and cookies RRS feed

  • Question

  • User260076833 posted


    I have a serious problem with my application: When the user is switching between pages, it randomly looses a session variable.

    This happens on the production machine in the data center, where the application is running on IIS and where I cannot access the configuration of IIS. It doesn't happen when running the application inside Visual Studio with the built in web server (IIS Express). When I set sessionState cookieless='true' in web.config, the problem also does not occurr on the production machine.


    My application uses authentication mode="Windows" and retrieves the "current user" from the AD environment (page.User.Identity.Name). This identity determines, which rights the user has and which menu entries he is seeing. This all happens in a master page, which is included by all content pages.

    However, I have added for the system administrator a functionality to "simulate" an arbitrary user. The administrator may select a user from a DropDownList and then this user is stored in a session variable ("ctx_User"). There is a central method for retrieving the current user:

    public class SystemManager
    public static String getCurrentUser(Page page) { Object o = page.Session["ctx_User"]; String u; if (o != null) u = o.toString(); else u = getAuthenticatedUser(page); // retrieves the user from page.User.Identity.Name return (u); }

    Note that you have to pass a Page object to this method so that it can access the Session.

    Then, in the application's master page, I retrieve the current user and adapt his privileges:

    public partial class MyMasterPage : System.Web.UI.MasterPage
    protected void Page_Load(object sender, EventArgs e) { String user = SystemManager.getCurrentUser(Page); adaptRightsAndMenus(user); }


    The administrator selects some user and then the session variable "ctx_User" is set. Since he is simulating a normal user now, he has only limited rights and the number of items in the menu bar has reduced. Then, he is doing the work as the normal user. And suddenly, after selecting another menu item, he has the full rights again and all menu items reappear.

    I can verify by tracing that the session variable "ctx_User" is gone at this moment, but the SessionID has remained the same.

    Note that some of the pages that are pointed to by the menu entries are placeholders that make a redirect to another page. But I believe that I am doing this right:

            protected void Page_Load(object sender, EventArgs e)
                Response.Redirect("personal/list.aspx", false);



    As mentioned above, the problem doesn't occurr with cookieless="true". But what exactly does that tell me?

    The decision cookies yes or no should only affect how the SessionID is stored at the client. But the variables reside at the server in both cases. So I don't understand why this makes a difference at all?

    If I should request some IIS logs from the data center, what could they tell me?

    As I still have no idea what could be causing this behavior: What would you do to get closer to the solution?


    Friday, February 24, 2017 8:18 AM

All replies

  • User-1315512054 posted


    Check your session and application pool timeout.


    Friday, February 24, 2017 9:10 AM
  • User260076833 posted

    Hello HostingASP,

    the behavior happens within seconds. If there were a session timeout, then I would get a new SessionID, right? But it remains the same.

    Please explain, if I got something wrong...


    Friday, February 24, 2017 10:52 AM
  • User475983607 posted

    I would use a cookie rather than Session.  Cookies are tolerant of app pool restarts and load balanced environments.  

    Friday, February 24, 2017 3:38 PM
  • User1771544211 posted

    Hi Yeoman,

    As mentioned above, the problem doesn't occurr with cookieless="true". But what exactly does that tell me?

    The cookieless attribute specifies whether sessions without cookies should be used to identify client sessions.

    cookieless="true" :  ASP.NET maintains cookieless session state by automatically inserting  a unique session ID into the page's URL.

    cookieless="false" : The default value is false, By default, the SessionID value is stored in a non-expiring session  cookie in the browser.

    When you set cookieless="true", then the session ID is maintained in URL, and session variable lost when you maintain the session id in cookie. So I think the problem seems be related to the cookies settings in the production server.

    As I still have no idea what could be causing this behavior: What would you do to get closer to the solution?

    A number of things can cause session state to mysteriously disappear.

    1. Your sessionState timeout has expired
    2. You update your web.config or other file type that causes your AppDomain to recycle
    3. Your AppPool in IIS recycles
    4. You update your site with a lot of files, and ASP.NET proactively destroys your AppDomain to recompile and preserve memory.

    Here are a few things to look for:

    1. By default, IIS sets AppPools to turn themselves off after a period of inactivity.
    2. By default, IIS sets AppPools to recycle every 1740 minutes (obviously depending on your root configuration, but that's the default)
    3. In IIS, check out the "Advanced Settings" of your AppPool. In there is a property called "Idle Time-out". Set that to zero or to a higher number than the default (20).
    4. In IIS, check the "Recycling" settings of your AppPool. Here you can enable or disable your AppPool from recycling. The 2nd page of the wizard is a way to log to the Event Log each type of AppPool shut down.

    Best Regards,


    Monday, February 27, 2017 3:27 AM
  • User260076833 posted

    Hello all,

    in the meantime, I tried to build a minimal example.

    At first, I copied the relevant parts of my real-life application, which includes a nested page/master/master form and does redirects on several events, into an isolated "minimal example 1". It's a page that displays a session variable, with a menubar that reloads the page using page redirects. After deploying the minimal example 1 and clicking on the menu entries over and over again until the session variable was gone, I could reproduce the problem.

    Then, I reduced "minimal example 1" again and again, so that I arrived at "minimal example 3", which also was able to reproduce the problem. What I removed was a lot of jQuery related includes as well as the 2-stage master file, which I reduced to a single master file. As said, the small example still was able to reproduce the problem.

    However, when the example was getting smaller in code, I had to click more often on the menu entries to reproduce the loss of the session variable, Sometimes I thought I couldn't reproduce it, but then, after minutes, the variable disappeared. Note that every reproduction was done in minutes, by reloading the page over and over again. So I am sure that it has nothing to do with application time-out or something like that.

    However, sometimes I cannot reproduce the problem with none of the minimal examples. Then, I tried the real-life situation (simulating another user), and the problem reappeared again.

    This is going to get hopeless. I would be glad if I could investigate the problem in a more systematic way.
    Any ideas are welcome.


    Wednesday, March 1, 2017 8:59 AM