tags:

views:

74

answers:

4
+3  Q: 

Sessionstate not being saved between pages

Hi, i am having problems with an asp.net c# site whereby i am setting a session state object to true and then redirecting to another page that needs to check the value of the session state object and it is null.

Sometimes it is set correctly and other times is is simply null.

When i debug on my local machine it works perfectly every time. Only when i upload to my web server does this temperamental behaviour happen.

As it is based around the security of the site it is obviously important that the session data be valid and accurate every time.

Is session state data unreliable?

AFAIK its set to inproc, cookieless, 30 min timeout, vanilla installation of IIS.

Does anyone have any suggestions? Perhaps i need to thread.sleep inbetween the storing of the session data and the reading?

NB: the time between the write and the read is about 70ms.. ample time for the data to be written to RAM.....

+1  A: 

If the session state is lost, typically that's because your process either recycles or fails. I would never "rely" on the session state between pages. Instead you might want to try to persist data between pages some other way. Perhaps passing the information via form variables or saving the data in the database.

ASP.NET Profiles are a preferred way to save this sort of information. You might want to read ASP.NET State Management Recommendations.

Keltex  2010-05-03 13:34:45
actually, OP is indicating it is a security issue so is probably authentication related. In which case, profiles are of no authoritive use without a forms ticket.
Sky Sanders  2010-05-03 13:54:37
+2  A: 

No. It sounds like you are misusing session state. You can not rely on the user's session to be there. Your ASP.NET worker process could recycle, restarting the application and killing all sessions, or a file could change in your website, causing your application to restart and flushing all sessions, cookies could get flushed on the client, timeouts could happen, etc.

So you have to provide for all of these scenarios with Session State. Try to avoid using session state for things like this. If you're setting access inside your session state and you don't know exactly how it works, you could be opening your site up for a lot of security risks.

Dave Markle  2010-05-03 13:35:05
+1  A: 

Everything point to a web farm. If you have different web servers on the production environment serving your application you would experiment this behavior.

I don't find any other explanation for this "WORKS ON MY MACHINE!"

Claudio Redi  2010-05-03 13:36:10
I agree, the reason it works intermittently is because sometimes you get the same worker process and others you do not. Try using a sessionstate mode other than InProc.
Steve Strickland  2010-05-03 13:44:01
+2  A: 

I don't have an answer for your particular problem, but Claudio my be on to something.

What I have to say is that using session for security is so 90's. Literally.

FormsAuthentication was developed to replace that technique and does quite a fine job.

You should only rely upon session for trivial concerns that are easily recoverable.

Security is not one of those.

Sky Sanders  2010-05-03 13:53:27

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?