Large number of Session_Start with same session id
https://stackoverflow.com/questions/2236129
-
19-09-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I'm running a ASP.NET website on my development box (.NET 2.0 on Vista/IIS7). The Session_Start method in global.asax.cs logs every call to a file (log4net). The Session_End method also logs every call.
I'm using InProc session state, and set the session timeout to 5 mins (to avoid waiting for 20 mins).
I hit the website, wait for 5 minutes unit I see the Session_End logging. Then I F5 the website. The browsers still has the session cookie and sends it to the server. Session_Start is called and a new session is created using the same session id (btw: I need this to be the same session id, because it is used to store data in database).
Result: Every time I hit F5 on a previously ended session, the Session_Start method is called, the request is executed and the Session_End method is called immediately.
When I open a different browser, the Session_Start method is called just once. Then after 5 minutes the Session_End each F5 causes the Session_Start/request/Session_End sequence to execute.
web.config relevant section:
<system.web>
<compilation debug="true" />
<sessionState timeout="2" regenerateExpiredSessionId="false" />
</system.web>
Solution
The regenerateExpiredSessionId setting relates to cookieless URLs only, it doesn't affect the behaviour of a session cookie which will be reused.
The issue you are experiencing is because of the way ASP.NET 2.0/3.5 handles sessions based on whether it's in use. In normal circumstances it does not try to persist a session until the first time it's used and therefore does not issue a session cookie (if it doesn't exist). The first time session is used, a session is created on the server and a session cookie issued.
Now when a previous session is restarted but not used, then ASP.NET gets a little confused. It tries to abandon the unused (restarted) session immediately as it's not required, which raises an early Session_End. However it does not delete the pre-existing session cookie, and hence every subsequent request repeats the sequence, restarting and then terminating the session until the cookie is deleted or the session is used.
In .Net 4.0 this behaviour has changed, and the event no longer fires in this case.
