Session.SessionID, if it uses session state, why put it in the URL?

Hi,

I have a website which uses Session.SessionID as a key, to lookup information about the user in my database (essentially managing state from page to page). I'm trying to make my site web-farmable and am having issues. It seems I can no longer user Session.SessionID to identify a user because it uses 'Session State' which is a no go on webfarm. I am aware that if the user has cookies turned on, it's all good, but I want users with cookies turned off to also be able to use my site.

What confuses me is when cookies are turned off and a user browses my site, the SessionID appears in the address bar. Why, if this information is being passed forward and backwards usin the URL, does it also need to rely on Session State?

Any answers or information links will be hugely appreciated!

Thanks
Tim 

0
timmortlock
9/14/2007 12:11:51 PM
asp.net.state-management 8807 articles. 0 followers. Follow

8 Replies
1559 Views

Similar Articles

[PageSpeed] 32
Get it on Google Play
Get it on Apple App Store

SessionState is stored in the server's memory for as long as the session is active, or until your code removes values from it.  The problem with this in a multi-server environment is that you are not guaranteed to get the same server with every request.  Thus your Session data can be on server A while your current request is going to server B.

I'm not exactly sure of how this works in a multi-db environment (unless you have constant replication taking place), but you can store Session data in the database.  You can also set up a server that is dedicated to storing state values.

http://msdn2.microsoft.com/en-us/library/ms178586.aspx

 


---------------------------------------
MCP - Web Based Client Development .NET 2.0
0
ps2goat
9/14/2007 2:29:38 PM

Thanks for your reply. I'm trying to avoid storing Session State in the database for reasons i wont bother you with. Session.SessionID (e.g. a long string like "oz1fvv45ambj4zvxqgqky22x") is the only time I use Session State on my site, just to remember who a user is from page to page. In web.config I have <b>cookieless="AutoDetect"</b> which means normally this SessionID is stored in a cookie. However when cookies are not allowed by the user, this funny long string (SessionID) appears in the URL. I ignorantly thought that when a webfarm came along I could replace the Session.SessionID syntax with some code to grab this value from the URL (if cookies are off), but the problem is since it's part of session state, when the user goes to a different webserver in the farm and the previous Session State is obviously not there, a new one of these SessionID's is issued in the URL. Even though a valid SessionID was in the URL when requesting the page.

I'm starting to think I might be forced to store session state in the database. Or write my own code which, if cookies are turned off, appends this value to the Querystring for every page request (manually pass it around myself).

any thoughts appreciated.

t

 


 



0
timmortlock
9/14/2007 3:49:01 PM

Yes, you would have to code your own "ID" mechanism. You would need to implement something that checks in the incoming request querystring for a specific key. If it doesn't exist, then you generate a unique id and tack it on. Then, you also need to make sure you persist that querystring value in all the links and such on your site. For example, if you're menu's navigate url is "/home.aspx", the querystring would be erased. So either make sure you build all links to include your ID in the querystring or implement something that filters the response and adds it to every link.

As to your question about the session id in the url...

Think of the session as a hash table of hash tables. The first hash table is a collection of all the different session states for the application and is keyed off the session id. Using that key, ASP.NET now has a reference for the specific client's session - which is basically just another hash table keyed off whatever you add (e.g. Session["customerID"] = xyz;).

The session id is not stored in the session as a session item, it's stored on the client (as a cookie or persisted in the url) and set in the session class's SessionID property for easy reference.

 

I do think the easiest solution would be to store the session externally so your web-farm shares that first "hash table". Even though you only need it to keep track of the current client, the implementation of persisting the session id is already in place.

Also, I seem to remember something about if you don't actually use the session for anything, a new one is created on every request. So store something stupid like the current date (do this in global.asax for the session start event).

/js

0
jshepler
9/16/2007 3:56:54 PM

Thanks js, you've explained it well. your mention of "The session id is not stored in the session as a session item, it's stored on the client (as a cookie or persisted in the url) and set in the session class's SessionID property for easy reference." is what I originally thought.

However I find it bizzare that when you go to a different webserver in a web farm it ditches the Session ID from your URL and gives you a new one. Do you believe this is correct? To be honest I don't have a webfarm setup yet, I am testing this by manually changing the domain and using two different webservers. So in a real webfarm what I am saying might be wrong?

thanks,

t
 

0
timmortlock
9/17/2007 3:19:33 PM

Two different webservers will have two different hash tables.

The first request to server 1 will get a session id, which is added to server 1's hash table.

The second request to server 2 will get a new session id because that other session id is not in server 2's hash table.

 A web farm doesn't share memory (the inprocess session) - so each server in the farm would have a different hash table. This is why you need a common storage mechanism for the session like sql server.

 

I don't have any experience with web farms, I'm just making logical observations.

/js

0
jshepler
9/17/2007 3:34:08 PM

Ok thanks, I understand what you're saying and it backs up my tests and new understanding. I guess I was generalising my terms, maybe a more appropriate title for this thread is "Session.SessionID, if it uses In Process Memory, why also persist it in the URL?". I still think it is silly to have something rely on In Process Memory when it's already being passed up and down in the URL, but maybe Microsoft have their reasons.

0
timmortlock
9/17/2007 4:22:02 PM

timmortlock:
 "Session.SessionID, if it uses In Process Memory, why also persist it in the URL?".

I think you are forgetting the stateless (disconnected) nature of the web.

When you request a page, a connection is made to the server, downloads the page, and closes the connection.

When you click a link on that page, another connection is made to the server, but the server has no way to know that it came from the same browser window that made the last request. It knows that it came from the same IP, but it could be a different window. It doesn't know that it's the same browser window.

By passing the same session id with every request, the server can now associate all requests with the same browser window.

On the very first request, no session id is sent. This indicates to the server that a new session is starting. The server will then generate a new unique session id and pass it back to the browser window so that all further requests from that browser window can send that session id. The server keeps a database (of sorts) of all the sessions that it has started. When a request comes in that has a session id, it does a lookup of that id and loads the appropriate information. If that id is not found, it starts a new session, generates a new session id and passes that back to the browser window.

We, as developers, can specify where that database is kept. By default it is kept in the server's memory. In this case, server B does not have access to server A's memory, and so any sessions ids generated from server A will not exist on server B and so server B will generate a new id.

We can configure the servers to keep the database in a more central location - like sql server - so that they can share the same session database. Now, the session id generated by server A can be passed to server B and server B will use the same session that server A created.

 

0
jshepler
9/17/2007 7:07:34 PM

sorry, it's hard to get my question across in writing. i do understand the stateless nature of web. the crux for me is in your quote

jshepler:
When a request comes in that has a session id, it does a lookup of that id and loads the appropriate information. If that id is not found, it starts a new session, generates a new session id and passes that back to the browser window.
. I had hoped this session id concept was simply a method for creating a tracking id (either in cookie or url), no looking up of details in memory like 'session state'.

Even so, it would work for me if it did this: "If that id is not found, it starts a new session using that id. Of course there's the instance of no id being passed in the URL (e.g. browsing for the first time) in which it would need to generate a new session id".

Thanks for your replies. You've helped me understand that the asp.net session id concept is not going to work for me. I will need to store the server memory in SQL or code my own session id concept

0
timmortlock
9/18/2007 9:47:20 AM
Reply:

Similar Artilces:

Unable to use session state server....requires session state server version 2.0 or above.
So, I have Windows 2003 IIS latest service packs running. Its running .NET 2.0 and .NET 1.1 applications in seperate application pools. Just today I applied the following patch to the server. (The server is not running any 3.0 or 3.5 applications or application pools)  Microsoft .NET Framework 3.5 Service Pack 1 and .NET Framework 3.5 Family Update (KB951847) x86 Microsoft .NET Framework 3.5 Service Pack 1 is a full cumulative update that contains many new features building incrementally upon .NET Framework 2.0, 3.0, 3.5, and includes cumulative servicing upda...

how to manage session state while using webrequest to login at another URL
plz show me how to do this: When you login at a site, it will store your information in Session or Cookie. So when I make a webrequest to get data from the login page, how can I store and manage the session? I don't exactly understand what you're trying to do. Please explain a little better and we'll try to help.Andrew J Durstewitz, MCSD.NET Senior Software Engineer - Internet Applications http://www.moreheadassociates.com http://adurstewitz.blogspot.com/ sorry, my English is not good enought. in ASP.Net, we can use webrequest and some object to query a URL and then display the...

The page requires session state that is no longer available. Either the session has expired, the client did not send a valid session cookie, or the session state history size is too small. Try increas
Hi.. I am making a mobile application using .net framework 2.0. My Application has  web farm scenario so for state management  I am using Sateserver in my application. My application runs fine if I dont use web farm scenario But in case of web farm scenario it is giving me error "The page requires session state that is no longer available. Either the session has expired, the client did not send a valid session cookie, or the session state history size is too small. Try increasing the history size or session expiry limit."   &...

"The page requires session state that is no longer available. Either the session has expired, the client did not send a valid session cookie, or the session state history size is too small. Try increa
Hi.. I am making a mobile application using .net framework 2.0. My Application has web farm scenario so for state management I am using Sateserver in my application. My application runs fine if I dont use web farm scenario But in case of web farm scenario it is giving me error "The page requires session state that is no longer available. Either the session has expired, the client did not send a valid session cookie, or the session state history size is too small. Try increasing the history size or session expiry limit." I am not getting why this error is coming ..Though I already h...

Unable to make the session state request to the session state server.
 Hello,           I’m receiving this error when I put my website on production."Unable to make the session state request to the session state server. Please ensure that the ASP.NET State service is started and that the client and server ports are the same.  If the server is on a remote machine, please ensure that it accepts remote requests by checking the value of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspnet_state\Parameters\AllowRemoteConnection.  If the server is on the local machine, and if the before men...

Unable to make the session state request to the session state server
Hi all, I'm working on the website http://universityauction.net and I was using session variables using InProc session mode to manage session state. This worked fine until I put the website in a load balanced environment, as inproc sessions get lost when jumping from server to server. I decided to move to a state server mode, so I changed my web.config to: <sessionState             mode="StateServer"             stateConnectionString="tcpip=123.456.7.8:42424"      ...

Unable to make the session state request to the session state server #2
We have recently started receiving these errors in the event viewer. We are using the out of proc state server on the same machine. The errors become more frequent, almost like it snowballs until users cannot work. System Info: Windows Server 2003 Standard SP2 , 4 GB of RAM, IIS 6.0, Asp.Net 2.0. What I know for certain: The state server is started and running Recycling the app pool nor restarting IIS fixes the problem Rebooting the machine DOES temporarily fix the problem. I changed the stateNetworkTimeout from 10 to 20 in webconfig and that had no effect. There is usuall...

Error: Unable to make the session state request to the session state server
I have session configured in web.config this way:<sessionState mode="StateServer" cookieless="true", timeout="30" stateConnectionString="tcpip=127.0.0.1:42424" />  ASP.NET State Service is started.   I got an error:  Unable to make the session state request to the session state server. Please ensure that the ASP.NET State service is started and that the client and server ports are the same.  If the server is on a remote machine, please ensure that it accepts remote requests by checking the value of HKEY_LOCAL_MACHINE\SYSTEM\CurrentContr...

Unable to make the session state request to the session state server etc.
We are getting an error message "Unable to make the session state request to the session state server..." sporadically in one of our applications.  We have several applications running on a 4-server web farm, and these applications have been in production for a year, so it is not a problem that the server is not reachable, not started, not addressed correctly, etc etc etc. One of the applications *does* put a lot of large datasets into session state.  Is there a limit on the allowable size of a session/cached object?  Also, the application opens several windows at once, ...

how to use state server to manage sessions
How does one use the state server? Can anyone explain the process how the state server is used or give me some links to which I can refer to, which will explain the same? Basically, we have a web farm environment and we need to persist data across the web farm, for which we intend to use the state server Hi, on the server where State Server will be running, on Services just start the "ASP.NET State Service" service. Then on web.config <sessionState> element in web apps change the mode attribute to "StateServer" and check that stateConnectionString attri...

Unable to make the session state request to the session state server
 We have a web application in our school called CHECM. We are experiencing a high volume of ASP.NET State Server errors throughout this month. These errors have been occurring since 7/11/2006.   Our Session State Mode has been --------------------------------------------------------- <sessionState mode="StateServer" stateConnectionString="tcpip=CHECM:42424" timeout="20" stateNetworkTimeout="30"/>     Here is the Error we get randomly Exception: System.Web.HttpException Message: Unable to make the session state request to the session state server. P...

Visual Studio 2005
 Hi, I have recently been given a PC with Vista on it, and installed Visual Studio 2005 pro. I then moved a ASP.net web project from an XP machine to the Vista one. When I run the project from inside Visual Studio (debug mode) everything works fine on the front end of the website, but if I try and log in I get the following error:  Unable to make the session state request to the session state server. Please ensure that the ASP.NET State service is started and that the client and server ports are the same.  If the server is on a remote machine, please ensure that i...

Session state management using web services.
 Hi all ,i am working of a hospital management system which we desided to develop using atlas frame work. we have created the application main to sections using atlas script call back architecture. we are using scripts to pack the user entered data to the web service and in that web service we are entering the data in to the database.all this happening with out a post back of the page.now comes the problem. we are not being able to handle the user session properties. we came to know that we cant access session variables in web services. we are in a trap now. how we can manage the sessio...

Session State and View State
Hi Everyone, Can anybody tellme how are these used in context with ASP.NeT whats their sole purpose?.....and where in programming we use  them? Any links or sources would be good which explains in simple terms.   thanks Simi  ThanksSimi------------&------------"To learn to succeed, you must first learn to fail." -Michael Jordan Here is one of the discussion http://forums.asp.net/t/1145838.aspxMPI never desire to converse with a man who has written more than he hasread. -Samuel Johnson, lexicographer (1709-1784)  Hi There is a video tutorial a...

Web resources about - Session.SessionID, if it uses session state, why put it in the URL? - asp.net.state-management

Remote Desktop Services - Wikipedia, the free encyclopedia
Remote Desktop Services in Windows Server 2008 R2, formerly known as Terminal Services in Windows Server 2008 and previous versions, is one of ...

摄像机报价 - 摄像机价格表【品牌 行情 评价 正品行货】 -国美在线
国美在线(Gome.com.cn)在线销售摄像机,并为你购买摄像机提供最新摄像机报价、摄像机价格、价格表、促销、参数、评价、排行、图片等选购信息。有国美,生活美!

Privacy Policy
Article on Privacy Policy

Archive
Archive - Game From Scratch

Google Drive SDK — Google Developers
Home Products Conferences Showcase Live Groups Google Drive SDK Feedback on this document What Can You Do with the Drive SDK? Quickstart Java ...

InfoSecPro.com - Computer, network, application and physical security consultants.
A Brute Force attack is an automated process of trial and error used to guess a person's username, password, credit-card number or cryptographic ...

Details on the "Crime" Attack
Juliano Rizzo and Thai Duong, the authors of the BEAST attack onSSL (or TLS - used interchangeably here), have released a newattack dubbed CRIME, ...

ITV - Jobs: Cookie Policy
ITV Jobs - how we protect your privacy

SSL/TLS in Detail
Version Number. The client sends the version number corresponding to the highest version it supports. Version 2 is used for SSL 2.0, version ...

Innovative, Easy to Use, Feature-Rich Customizable Spreadsheet Template Solutions
=0) ? '&' : '?'; url+='sessionid=c0fnkq2x0cg2w245vt5aaw55'; url+='&email='+escape($get('ctl00_ctl00_IdentifyEMail').value); url+='&first='+e ...

Resources last updated: 12/12/2015 6:02:26 PM