random IIS session timeout

Question

I have a very strange problem and I am looking for any advice. I have a ASP.NET website running off of IIS 6 which works well for the most part. However, the sessions seem to be randomly cleared? So if I login...click around, i am booted out randomly. Sometimes it's after 30 seconds/4 clicks. Sometimes it's the first click, sometimes it won't even let me login...and sometimes it work fine?? (the reason i know it's being cleared because i print the session when I am logged off, and they are empty)

I have taken a look at the IIS logs but they don't tell me much. I suspect it might be a timezone problem?,..I was wondering if anyone has any knowledge on whether this is a possibility?

Other than that, any tips on how I can find out more on what is happening in the sessions?

By far the strangest part about my problem is it's randomness. Which will probably serve as a good clue for the cause for an IIS/ASP.NET expert. (at least I hope so!)

Another clue: the site works perfect when I host it locally, and I only get the problem when I host it off my virtual godaddy server. (which is running IIS 6)

another thing I noticed

on local host my cookies look like this: (from firebug) Cookie ASP.NET_SessionId=vgt4ly45frvsm1qsfjsmdcbc; username=; demo=true

on the hosted server it is just this: Cookie ASP.NET_SessionId=vgt4ly45frvsm1qsfjsmdcbc;

"username" is the name of my session...maybe i have cookies disabled on the shared hosting and this is causing the session not to work?

Thanks for your time, Andrew

Answer 1

Your asp.net application may be recycled. Recycling can happen if a memory or cpu threshold is reached, or after a while (15 min inactivity used to be the default on IIS6).

When the application is recycled, everything in memory is lost. It could be why you lose session data.

To make sure recycling is the culprit, you can look at the performance counter on your server, or just log something in the Application_Start global.asax handler.

For a list of asp.net performance counters on IIS6, check https://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/0a6c9f07-a70c-4c3d-b93d-5dfef593c744.mspx?mfr=true

The counters for "Application restarts" and "Worker process restarts" are the one you should be looking at.

Answer 2

Do you have more than one web server in a load-balanced cluster? I've had this problem when the encryption key is different between the 2 servers in the cluster. Whenever the load balancing switches you to another server, .Net can't decrypt the cookie so it thinks it's bad and sends you back to the login page.

Here's the MSDN article about this.

Answer 3

to answer my own question:

this link was very helpful:

http://msdn.microsoft.com/en-us/library/ms972429.aspx

namely this part:

Server farm limitations. As users move from server to server in a Web server farm, their session state does not follow them. ASP session state is machine specific. Each ASP server provides its own session state, and unless the user returns to the same server, the session state is inaccessible. While network IP level routing solutions can solve such problems, by ensuring that client IPs are routed to the originating server, some ISPs choose to use a proxy load-balancing solution for their clients. Most infamous of these is AOL. Solutions such as AOL's prevent network level routing of requests to servers because the IP addresses for the requestor cannot be guaranteed to be unique.

I switched my login/logout session to be purely cookie based (all i need for my solution)...for a more secure implimentation I think ASP.NET has built in Profile's ...as well as...ASP.NET sessions stored in your datebase...which i did not feel like researching /implimenting at the time.

Andrew