locked
Session variables sometimes disappearing RRS feed

  • Question

  • User-1608281605 posted

    Sometimes my session variables are disappearing. This may be this issue as it happens when running under the VisualStudio debugger and files do change when debugging.

    Are there other issues that can cause this to happen? And is there a way to avoid this for file changes?

    thanks - dave

    Friday, March 20, 2015 12:03 PM

Answers

  • User753101303 posted

    I was suspecting something such as calling RedirectFromLoginPage or SetAuthCookie or whatever with a name which is not always properly set.

    I would test the name to throw an exception if I'm about to authenticate the user with a name which is blank.

    For now My understanding would be that User.Identity.Name is blank while User.Identity.IsAuthenticated is true ?

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, April 2, 2015 4:02 AM
  • User281315223 posted

    Yes we're handling authentication ourselves. We have a DB that has the users and need to use that.

    For this use case, is there a better way to do this?

    You could consider using a Cookie ala Forms Authentication to handle this. Basically after your user has logged in, you could create a Cookie associated to that particular user which would be stored in the browser for a certain period of time (designated by the Expires property on the Cookie). This would be a much better approach than using the Session and it would be much more resilient.

    You could either create the cookies manually :

    // Create your cookie
    HttpCookie myCookie = new HttpCookie("AuthenticationCookie",YourUserName);
    // Indicate the cookie will persist for 12 hours
    myCookie.Expires = DateTime.Now.AddHours(12);
    // Add the cookie to the Response
    Response.Cookies.Add(myCookie);

    or by actually using the built-in FormsAuthentication.SetAuthCookie() method :

    FormsAuthentication.SetAuthCookie(YourUserName,true);

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, April 2, 2015 9:39 AM
  • User281315223 posted

    This is why you'll generally want to use the built-in Forms Authentication one as it is going to handle associating your specific user Session within the application to a cookie behind the scenes. Forms Authentication has a built-in encryption scheme that is also used, so it wouldn't necessarily be as easy as just adding a cookie to the request. You can read a bit more about Forms Authentication security in this related discussion.

    Additionally, if you are building your own cookies, you can set the Secure property of them to True as well to ensure that only cookies served over HTTPS are acknowledged or handle it within the web.config for your application :

    <system.web>
           <httpCookies httpOnlyCookies="true" requireSSL="true" lockItem="true" />
    </system.web>

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, April 2, 2015 10:40 AM

All replies

  • User281315223 posted

    Session variables can be fairly volatile and there are quite a few things that can cause them to be wiped out :

    • Any Application Pool or IIS-related Restarts (e.g. Application Pool timeouts, Exceptions that the application to restart, Changes to your web.config that might trigger a restart, etc.)
    • Any explicit clearing of your Session (e.g through the Session.Clear(), Session.Abandon() or other related methods).
    • Low Resources (e.g. since Session variables are stored at the server level, ASP.NET may elect to clear them out to free up room for usage in other areas of your application).

    Since Session values are stored at the application level, any changes or disruption at that level can cause them to be completely eliminated (since they are just being stored in memory). If you need to persist the values, you might consider using a more resilient datastore such as a database, text file, cookie or some other approach that wouldn't be affected by many of these issues.

    Friday, March 20, 2015 12:12 PM
  • User-1608281605 posted

    I am using this to track the logged in user. So I need to tie it to the session somehow. The sole purpose of this is each request after the user logs in, I use it to verify who they are.

    Is there a better way to do this?

    thanks - dave

    Friday, March 20, 2015 12:16 PM
  • User753101303 posted

    Hi,

    You are handling authentication yourself? User.Identity.Name should allow to get who is logged regardless of which method is used.

    I would still investigate (if this is an app pool restart you should find the reason in the Windows log).

    Friday, March 20, 2015 12:19 PM
  • User281315223 posted

    I am using this to track the logged in user. So I need to tie it to the session somehow. The sole purpose of this is each request after the user logs in, I use it to verify who they are.

    How are you currently handling authentication?

    The built-in ASP.NET authentication models (e.g. Forms Authentication, ASP.NET Identity, etc.) will all allow you to access the name or information about the current user after they are authenticated using the User.Identity.Name property if you need it.

    You shouldn't need to be storing anything within the Session itself (it's important to note that User Sessions are different than the actual Session State itself which often is used as a collection to store items in).

    Friday, March 20, 2015 12:38 PM
  • User-1608281605 posted

    Yes we're handling authentication ourselves. We have a DB that has the users and need to use that.

    For this use case, is there a better way to do this?

    thanks - dave

    Friday, March 20, 2015 2:08 PM
  • User753101303 posted

    I was suspecting something such as calling RedirectFromLoginPage or SetAuthCookie or whatever with a name which is not always properly set.

    I would test the name to throw an exception if I'm about to authenticate the user with a name which is blank.

    For now My understanding would be that User.Identity.Name is blank while User.Identity.IsAuthenticated is true ?

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, April 2, 2015 4:02 AM
  • User281315223 posted

    Yes we're handling authentication ourselves. We have a DB that has the users and need to use that.

    For this use case, is there a better way to do this?

    You could consider using a Cookie ala Forms Authentication to handle this. Basically after your user has logged in, you could create a Cookie associated to that particular user which would be stored in the browser for a certain period of time (designated by the Expires property on the Cookie). This would be a much better approach than using the Session and it would be much more resilient.

    You could either create the cookies manually :

    // Create your cookie
    HttpCookie myCookie = new HttpCookie("AuthenticationCookie",YourUserName);
    // Indicate the cookie will persist for 12 hours
    myCookie.Expires = DateTime.Now.AddHours(12);
    // Add the cookie to the Response
    Response.Cookies.Add(myCookie);

    or by actually using the built-in FormsAuthentication.SetAuthCookie() method :

    FormsAuthentication.SetAuthCookie(YourUserName,true);

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, April 2, 2015 9:39 AM
  • User-1608281605 posted

    The problem with a cookie is then someone can easily hack in by adding that cookie to a request.

    Thursday, April 2, 2015 10:29 AM
  • User281315223 posted

    This is why you'll generally want to use the built-in Forms Authentication one as it is going to handle associating your specific user Session within the application to a cookie behind the scenes. Forms Authentication has a built-in encryption scheme that is also used, so it wouldn't necessarily be as easy as just adding a cookie to the request. You can read a bit more about Forms Authentication security in this related discussion.

    Additionally, if you are building your own cookies, you can set the Secure property of them to True as well to ensure that only cookies served over HTTPS are acknowledged or handle it within the web.config for your application :

    <system.web>
           <httpCookies httpOnlyCookies="true" requireSSL="true" lockItem="true" />
    </system.web>

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, April 2, 2015 10:40 AM