How does .NET session handling work? Sessions eat up all memory if cookies are disabled.

views:

answers:

How does .NET session handling work? Sessions eat up all memory if cookies are disabled.

Hi,

In my project I have configured .NET's sessions to go into database. I also have a global.asax which implements Session_Start(). In Session_Start() I write three things to the session:

The time the session started.
The user's host address.
A serializable device object wrapping the user's agent.

The problem is now that users which don't allow cookies won't allow session cookies either. (Easily reproducable by putting the site URL to the restricted sites of IE).

If I keep on refreshing (put finger on F5) a new session is created for every request (-> no session cookie). Shortly, the web server process grows to some hundred megabytes. It does not matter if you use IIS7 or Cassini Local Webserver.

The issue is now: the memory does not get released until the sessions time out. What is the logic here if sessions should really go to database? How long will .NET keep them in memory? Eventually, you'll even get Out Of Memory exceptions!

Anybody know? How to detect and prevent such (almost malicious) "attacks"?

René

What s the logic here if sessions should really go to database?

Who says they go to the database? If that is your code in start stop - ,.NET does not know about it. So it keeps them in memory.

The problem is now that users which don't allow cookies won't allow session cookies either

I would call that a little unusual. Most users blocking cookies will NOT block session cookies.

Shortly, the web server process grows to some hundred megabytes

Not a problem. Like "come back when it reaches 1.5gb".

In general, .NET will keep sesions in memory because they are a lot faster there to access than from the database. Users rejecting session cookies AREa problem, but should be a RARE one.

TomTom 2010-10-28 18:48:07

They should go to DB because I did not define "in process" sessions but database session handling in web.config. Even if it is unusual, I find it even more unusual that a client not accepting cookies can bring a whole server down running a .net project. And as I said: eventually, the web server will run out of memory and recycle. This IS s problemm

Krumelur 2010-10-30 19:55:40

Why did you start a session in the first place? Looks like the specified information should be in cookies and not a session. And by doing so you'll get rid of the problem too.

Only use sessions to keep user state (after logging in).

jgauffin 2010-10-28 18:50:31

I don't want to discuss WHY I do things. It is a test. The question really is: In web.config, I set specify database session state. So I'd assume at some point, .net will start using that database but it keeps on pushing the sessions into memory. Why is it not swapping?

Krumelur 2010-10-30 19:53:41

ansaurus

tags:

views:

answers:

How does .NET session handling work? Sessions eat up all memory if cookies are disabled.

related questions