tags:

views:

605

answers:

1
Q: 

How to prevent ashx from resetting Session Timeout?

I'm having trouble finding any info on this, which makes me think I'm doing something wrong. I've made an ashx that serves up secured images to our logged-in users. The problem is that a Sql Profiler trace reveals that TempResetTimeout is called in our Session State DB for every image served via this mechanism. This ashx was built to replace an aspx that used to do the same thing but was causing many session state db deadlocks due to many images and web garden usage, yada, yada. This is definitely an improvement, due to one less "Read Committed" call to session state db, but the fact that there's an update means we can still have some deadlocks. Basically, we want NO session interaction at all from the use of this ashx, but that doesn't seem to be happening.

I certainly don't have the IRequiresSessionState interface implemented, so I am led to believe that my ashx should not touch Session in any way. I see Global.asax hit for every occurrence however, and Global.asax references session in some of its code. This led me to try to exclude this particular page from any sort of authentication via the following in web.config...

<location path="ImageHandler.ashx">
<system.web>
 <authentication mode="None" />
</system.web>
</location>

...but this causes the ashx to not fire at all (no image displayed and no breakpoint hit in ProcessRequest). I'm not sure why that is happening.

How can I get my ashx ImageHandler to not touch session AT ALL?

+1  A: 

SessionState is set up on an Application level, so the only way to disable session for any ASP.NET request is to put it in its own Application in IIS and turn session state off.

<system.web>
    <sessionState mode="Off" />
</system.web>

http://msdn.microsoft.com/en-us/library/h6bb9cz9.aspx

You could also create your own session state module (perhaps trying to wrap the existing one), but that also would either require IIS configuration to set up another folder as an Application, or replacing it on your root application.

http://msdn.microsoft.com/en-us/library/system.web.sessionstate.sessionstatemodule.aspx

Though that just seems like a lot more effort than just turning it off for one subfolder that's configured as an Application in IIS.

Adam Sills  2009-08-31 15:11:08
Setting up the folder containing my ashx as an application and turning off session for that application sounds like the way to go. Thanks for your help.
Tim Hardy  2009-09-03 04:53:05

related questions

What is typically the length of your optimal coding session?
What's the most current, good practice, and easiest way to use sessions in PHP?
What can cause an ASP.NET worker process to be recycled?
How do I explicitly set asp.net sessions to ONLY expire on closing the browser or explicit logou?
session variable mixup in ASP.NET?
In Classic asp, can I store a database connection in the Session object?
What are the advantages and disadvantages of the Session Façade Core J2EE Pattern?
Different values of GetHashCode for inproc and stateserver session variables
Best way for allowing subdomain session cookies using Tomcat
Is there a way to specify a different session store with Tomcat?
PHP: $_SESSION - What are the pros and cons of storing temporarily used data in the $_SESSION variable
What is the best way to handle sessions for a PHP site on multiple hosts?
How much data can/should you store in a users session object?
ASP.Net Session_Start event not firing
Logging image downloads
ASP.Net: If I have the Session ID, Can I get the Session object?
Secure session cookies in ASP.NET over HTTPS
Django Sessions
Can I put an ASP.Net session ID in a hidden form field?
Always including the user in the django template context
Rails - recovering database from Production.log
Most efficient way to get data from the database to session
What is the best way to prevent session hijacking?
FOSS ASP.Net Session Replication Solution?
How do I best detect an ASP.NET expired session?