asp.net, stateserver, NLB, session lost.

Question

Hello everyone, 1st post on stackoverflow, hope to have great feedback :)

I'm currently trying to load balance our web site. We have set up a 2 cluster NLB on windows server 2003 with IIS 6.

While testing the setup, I found that sometimes, our session is lost. A day and a half later, here's the result:

1. Yes, our machine.config both have the same encryption/decryption key.
2. Yes, the id in iis metabase.xml are the same for both machine. Actually, the entire file are the same, except for "AdminACL".
3. Both web application are set with "StateServer" and both pointing at the same machine.

From that point, searching on google gives less information and possible solutions.

From what I know, there's no particular pattern that cause this problem. It just happen once in a while.

While trying to find the problem, I've seen that a request sent the asp session id cookie to the server, but the server didn't map it to the user session.

So the request number x was sent from the client, with the cookie, session was mapped, and everything went smoothly. The request number x+1 was sent from the client, with the cookie, but session was not found.

Both request were made on the same machine in the NLB.

Here's a snippet of the asp trace.axd:

1st request:

Request Details Session Id: j2ffvy45updpc52uhw1mbg55 Request Type: GET Time of Request: 11/26/2008 2:58:06 PM Status Code: 200 Request Encoding: Unicode (UTF-8) Response Encoding: Unicode (UTF-8)

Request Cookies Collection

Name Value Size

ASP.NET_SessionId j2ffvy45updpc52uhw1mbg55 42 AID 22 9

Response Cookies Collection

Name Value Size

Headers Collection

Name Value

Cookie ASP.NET_SessionId=j2ffvy45updpc52uhw1mbg55; AID=22

2nd Request:

Request Details Session Id: Request Type: POST Time of Request: 11/26/2008 2:58:08 PM Status Code: Request Encoding: Unicode (UTF-8) Response Encoding:

Request Cookies Collection

Name Value Size

Response Cookies Collection

Name Value Size

Headers Collection Name Value Cookie ASP.NET_SessionId=j2ffvy45updpc52uhw1mbg55; AID=22

As you can see in the 2nd request, the cookie is sent from the client, but asp seems to never add the cookies in it's "Request Cookies Collection". I think that's why it doesn't find the session.

So why the cookie is not mapped to the session? Is that the problem? Is the problem elsewhere?

Feel free to ask any clarifications.

Thank you all for your feedback.

JF

Answer 1

Not strictly an answer to your question, but have you tried it using a sql server based session store? (Search on MSDN for the permanent script rather than the temp script that's provided with asp.net)

I've heard "bad things" about the executable session service, and consequently have not used it. Never had any problems web farming with the sql server based solution though.

Sorry it's not strictly an answer to your problem, but it should either (a) fix it, or (b) narrow it down significantly.

Answer 2

Hello,

thanks for you feedback, but we're a small company, and right now, we don't have SQL Server, and it's not my call. Anyway, bottom line, we don't have it, we can't have it for now. It would the first thing to do though, I agree.

Answer 3

Well, if you're using visual studio, you could at least test it with the MSDE (the cut down version of SQL Server that comes with Visual Studio)...

It might help rule out state server problems...

Answer 4

Using the database approach has its own issues. I think you should be able to use your preferred approach.

Perhaps this session troubleshooting article would help?

Or "Troubleshooting Session Related Issues in ASP.NET"

Or "Troubleshooting Expired ASP.NET Session State and Your Options"

Answer 5

I'll be lame and re-iterate the proposal of MS SQL Server. Install SQL Server Express which is completeley free including for commercial use and it has only these 3 drawbacks which shouldn't be a problem for you in this stage :

• Max 4GB size database
• Max 1 CPU Core used
• Max 1GB RAM used

Answer 6

A few points to take into consideration:

• What's the load on your website? State Server has the tendency to crash when facing a large number of concurrent hits. We're only using it in scenarios where we have a really small number of users (in the 10's, mostly backend systems). Whenever we tried using it in production for sites serving 1000's of users daily, it would crash leading to loss of session data.
• On one of the production environments we manage, we're using MSSQL 2005 Express to manage the sessions, the site has 10K+ users a day and 200K+ pages a day. This is a recommended approach in case session is a must and tightly coupled into your application.

If you're about to user MSSQL Express as your state DB, remember that it doesn't come with SQL Server Agent meaning there's no tasks scheduler running in the background and cleaning your expired sessions. I'd recommend finding a scheduler and running the clean expired sessions stored procedure periodically.

Good luck

Answer 7

Instead of messing around with SQL, send your tests directly into one of your IIS nodes to see if you still get the same issue. I'm sure if your only doing a small number of tests StateServer won't be the issue.

Answer 8

Try setting the domain name of the asp.net_sessionid through code to ".yourdomain.com". By default the ASP.net_SessionID cookie domain name is set to the full application path. So, this may be one of the reason why the cookie is not travelling.

E.g. Request.Cookies["ASP.NET_SessionId"].Domain = ".yourdomain.com". Remember the first "." is important in the domain name.

You could do this in the HttpModule in the AcquireRequestState event.

Answer 9

Hello everyone.

I finally found the answer to my problem. It's origin are within the application code (like 99% of a programmer's 3rd party tools 'bugs'). I decided to post it anyway in case someone is in a similar scenario.

This code was part of WebServiceRequester class. The web service requester class was instanciated when session was created and it is saved in session. During creation, we initalizate the member 'm_webServiceURL', and this member is saved in session after. At which value was this member initialize was depending on a setting on the local machine.

The important part is the following: WebServiceRequester class contains a WebService objects. WebService objects can't be saved in session, they are not serializable in asp. The property had the [NonSerialized] attribute on it. So everytime we accessed the 'WebService' property of the object for the first during a page life cycle, we had to create a new one, and assigning ot it the url 'm_webServiceURL' which was saved in session. So you see, new webservice object, on possibly a different machine, meaning a different setting on each machine.

so here's what happened: box 29 was set to access Web Service at localhost

box 30 was set to access Web Service as 192.168.253.29.

Technically, they are both set on the same machine. But here's a scenario:

login on box 29. m_webServiceURL is set to localhost in session.

[some request on box 29 here]

NLB balancing bring us on box 30. box 30 loads it's session, create a new webservice obect with localhost as the web service address. box 30 made the request to the wrong web service leading to a Session Expired exception.

One of the problem during the debug, was that the local communication were not recorded with the network monitor.

What lead me on the trace, was that we never had an exception logged on the box 29 log trace, as it should have.

Thanks for you suggestions everyone, it was really appreciated.

Have a good day. JF