ASP.NET & WebServices - Scrambled Session Information

Question

Hi, here's my problem, short and sweet, I hope someone can provide advice.

We're hosting Web Services/ASP.NET on a server running IIS 7. I've developed a web site that uses these services to display information (from another SQL server) to clients. 

I'm under NDA but I can say that we're displaying quite a lot of information at one time.  A few months ago, when we first started developing the system, we were sending everything back as DataTables.  Since then, the person writing the code for the services has converted everything over to classes.  Recently, I've noticed that when a user logs in the session data they get back is sometimes for a completely different user. This is pretty bad as we want to keep client confidentiality.

I've ran the stored procedures and such that the services access and I can never get any invalid results, so I'm assuming that the problem lies with the way the Services are coded, or the way I'm handling things in the website itself.  I do know that if I log into the server machine and restart the webserver, then everything returns to normal for a day or so. Also, I feel that I should point out I've manually increased the data buffer size (sorry if I don't remember the exact name of the field) in my web.config file, since we're sending such large chucks of data for some clients that I was receiving errors.

I would also like to note that both myself and the guy doing the web services are relatively new to the concepts of web services, asp.net, and IIS in general. We're decent C# coders so it hasn't been too much of a hassle, but I know there's a LOT we're probably missing out on.

Does anyone have any clue what the problem might be, constructive comments, or links to resources we could use to improve this system in general?

I'm sorry if anything I've said is rather vague but if you'll ask then I'll be more than happy to clarify anything mentioned above.

Answer 1

Chances are it has nothing to do with not using DataTable, so you can clear that from your mind right now.

What do you mean when you say, "information from another user"? How do you know it's correct information for another user, and not incorrect information for the correct user?

Are you using any static data? If you're new to web services, you may not realize that static data is shared among all users of a service. It is not per-user or per-session.

You mention session data. What kind of session storage are you using? Inproc, SqlServer, StateServer?

---

John Saunders
WCF is Web Services. They are not two separate things.
Use WCF for All New Web Service Development, instead of legacy ASMX or obsolete WSE
Use File->New Project to create Web Service Projects

Answer 2

Well, When the user logs in, they're provided with bits of information from the web services such as their full name, and various properties under their control.  This information is stored in Session data.

It seems that under moments of high stress on the server, when a user logs in, they're verified but given back the wrong data. Now, I have been unable to reproduce the errors manually in code or via direct calls to the SQL server via the Management Studio but from what I can tell, they're given back data from a user who's already logged in, leading me to believe that there's something going on behind the scenes that's scrambling up the Session information.

I already double-checked my code for any static calls and verified there are none. As far as session storage, I'm really clueless as to what you're referring to. Excuse my lack of knowledge but I've just been using calls to this.Session.

Answer 3

I don't mean static calls. I mean static data.

When using ASP.NET session state, there are basically three ways to store it: Inproc, StateServer and SQLServer. These are set in the <sessionState> element in the web.config file:

<sessionState 
    mode="[Off|InProc|StateServer|SQLServer|Custom]">
</sessionState>

---

John Saunders
WCF is Web Services. They are not two separate things.
Use WCF for All New Web Service Development, instead of legacy ASMX or obsolete WSE
Use File->New Project to create Web Service Projects

Answer 4

Sorry, there's no static data.

And I didn't see a SessionState line in my web.config, so I'm assuming it's Off by default?

I don't know what these are, but I'll research into them until you reply :)

Thanks for the help thusfar.

Answer 5

Web.config is hierarchical. If it's not in your web.config, and not in a parent site's web.config, then look at the web.config and/or machine.config in C:\windows\Microsoft.NET\Framework\v2.0.50727\CONFIG.

---

John Saunders
WCF is Web Services. They are not two separate things.
Use WCF for All New Web Service Development, instead of legacy ASMX or obsolete WSE
Use File->New Project to create Web Service Projects

Answer 6

John,

I checked into the web.configs in the hierarchy. The only web.config that has anything referring to sessionState is in the parent folder of the site I'm publishing. All it does is set a timeout.  In the folder you specified, both the web and app config files do not list anything referring to sessionState.  Given what the options are, I would have to assume it's defaulting to InProc since I haven't setup any outside server to handle session data.

Answer 7

Sorry, the following is in a hurry: search in MSDN for "ASP.NET Health Monitoring Overview". Among other things, you'll find there are many things that ASP.NET will write into the event log, simply if you enable them. You should enable logging of application start and stop (and anything else interesting, like maybe session abandon or whatevr).

See if that correlates to when the problem occurs.

Also, look at how your code handles the case when it goes to Session but finds a null instead of the data it's looking for.

Also, make sure that none of this data is stored in Cache or Application state.

---

John Saunders
WCF is Web Services. They are not two separate things.
Use WCF for All New Web Service Development, instead of legacy ASMX or obsolete WSE
Use File->New Project to create Web Service Projects