locked
Why asp.net session expires sooner than its timeout? RRS feed

  • Question

  • User949494092 posted

    I have an Asp.net webservice. It has method M1. M1 creates a folder for each session. When a session is expired, I delete that folder in global.asax using the following code.

    void Session_End(object sender, EventArgs e)
            {
                try
                {
                    System.IO.DirectoryInfo dirMyPacksFolder = new System.IO.DirectoryInfo(Utilities.getMyPacksFolder(Session));
                    //dirMyPacksFolder.Parent.CreateSubdirectory("ended_" + Session.SessionID);
                    if (dirMyPacksFolder.Exists)
                    {
                        dirMyPacksFolder.Delete(true);
                    }
                }
                catch (Exception ex)
                {
                    Utilities.logException("", ex);
                }
            }




    When I open my webservice in browser and call M1, it operates correctly and the folder is deleted on timeout expiration time that I have set. But when I submit "Invoke" button of webservice for the second time (after session timeout and folder is deleted), its session starts (create folder) and ends (deletes folder) immediately before timeout that I have set.

    Why this happens?

    If I open a new window (new session) for each method call everything is OK. But I have problem when I click "Invoke" button for second time. It is something like caching problem for same sessions.

    Saturday, July 7, 2012 7:34 AM

Answers

  • User949494092 posted

    I found the solution. Look at this link: http://stackoverflow.com/a/11375003/779408. and http://www.thecodeking.co.uk/2011/08/why-sessionend-is-sometimes-called.html

    When the browser is refreshed after the session timeout, the old session cookie is sent in the request. This causes ASP.NET to reuse the original session ID for a new session. However because at the end of the request the application has not yet used the session, ASP.NET affectively abandons it to avoid persistance and to free resources. This causes an early Session_End event.

    Now because ASP.NET does not actually delete the pre-existing session cookie, every subsequent request is essentially restarting the session ID and repeating the sequence of events, such that Session_Start/Session_End are fired repeatedly until either the session is used or the cookie deleted.

    The Fix

    The issue has already been resolved in .NET 4.0. I suspect the session now remains persisted in the case of a session restart.

    If your application is using .NET 2.0/3.5 and has expensive code hooked into the session start/end events, then I recommend you add a dummy session variable to your session start routine. This solves the problem by flagging the session as in use, and helps protect your server resources from excessive session events.

    These lines of code in Global.asax solve the problem:

    void Session_Start(object sender, EventArgs e)
     {
         Session["dummy"] = "dummy session for solving immediate session expire";
     }



    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Sunday, July 8, 2012 2:00 AM

All replies

  • User1779161005 posted

    When I open my webservice in browser and call M1, it operates correctly and the folder is deleted on timeout expiration time that I have set. But when I submit "Invoke" button of webservice for the second time (after session timeout and folder is deleted), its session starts (create folder) and ends (deletes folder) immediately before timeout that I have set.

    Is it the same SessionID? If you're using an .asmx (sounds like maybe you are) then you might want to make sure you enabled sessions in your service. You can read more here.

    Saturday, July 7, 2012 9:14 AM
  • User949494092 posted

    I found the solution. Look at this link: http://stackoverflow.com/a/11375003/779408. and http://www.thecodeking.co.uk/2011/08/why-sessionend-is-sometimes-called.html

    When the browser is refreshed after the session timeout, the old session cookie is sent in the request. This causes ASP.NET to reuse the original session ID for a new session. However because at the end of the request the application has not yet used the session, ASP.NET affectively abandons it to avoid persistance and to free resources. This causes an early Session_End event.

    Now because ASP.NET does not actually delete the pre-existing session cookie, every subsequent request is essentially restarting the session ID and repeating the sequence of events, such that Session_Start/Session_End are fired repeatedly until either the session is used or the cookie deleted.

    The Fix

    The issue has already been resolved in .NET 4.0. I suspect the session now remains persisted in the case of a session restart.

    If your application is using .NET 2.0/3.5 and has expensive code hooked into the session start/end events, then I recommend you add a dummy session variable to your session start routine. This solves the problem by flagging the session as in use, and helps protect your server resources from excessive session events.

    These lines of code in Global.asax solve the problem:

    void Session_Start(object sender, EventArgs e)
     {
         Session["dummy"] = "dummy session for solving immediate session expire";
     }



    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Sunday, July 8, 2012 2:00 AM
  • User1779161005 posted

    Interesting. I've never seen this problem/situation in the wild, but the reason is that I never use session in real applications. There is a long list of issues that comes up when using it.

    Sunday, July 8, 2012 10:11 AM