« Previous Next »

• 01-15-2009, 10:42 AM

  ingigauti Joined on 01-15-2009, 10:26 AM Posts 11

  Session problem with IIS7 Reply Contact  I just moved to Windows 2008 Server 64 bit version and IIS 7. My problem is that users are getting the same session id. I've changed from In process, Asp.Net state server and now I'm using Memcached, but non have worked correctly. Here is an example. This is session id from a user login in at 15:15:29  ASP.NET_SessionId:gd0jwceqxdcpew45qsxklsrl REMOTE_ADDR:88.149.xxx.xxx  15 seconds later a new user comes with this session id ASP.NET_SessionId: gd0jwceqxdcpew45qsxklsrl REMOTE_HOST:217.195.xxx.xxx It's like IIS can't create enough session id's and needs to reuse them. I'm not behind of any kind of proxy, just connected straight to the internet. Does anybody have any ideas?

  Tags: session

• 01-16-2009, 7:23 AM

  In reply to

  ingigauti Joined on 01-15-2009, 10:26 AM Posts 11

  Re: Session problem with IIS7 Reply Contact  Litle update on my problem  I did an override of the SessionID manager and used the example the doc gives, using guid as session id. Everything worked fine from about 5pm yesterday until 10:30:53 this morning, suddenly a lot of people started to have the same session id. I have no idea what is going on, I have changed the name of the session cookie 10 times, and there is nowhere in my code where I'm changing the session id on the user.  I think this happened also around 10:30 yesterday, but can't say the exact timing because I wasn't logging the info that I'm logging now. Right now I'm installing W2K3 server, let see if that changes anything. Anybody have any info on this, ever seen this before? Any idea what could set the same session id for so many users?

• 01-16-2009, 12:33 PM

  In reply to

  leotohill Joined on 04-16-2008, 3:39 PM Posts 8	Re: Session problem with IIS7 Reply Contact  Just curious, in your trace lines above why does one say "REMOTE_ADDR" and the other says "REMOTE_HOST"  ?

• 01-16-2009, 1:15 PM

  In reply to

  ingigauti Joined on 01-15-2009, 10:26 AM Posts 11	Re: Session problem with IIS7 Reply Contact  It's the same thing. I just copied the wrong line. What I do is write down all the Request.Params that the user has for debuging. Both Remote_host and remote_address is there and give the same result.

• 01-16-2009, 1:35 PM

  In reply to

  leotohill Joined on 04-16-2008, 3:39 PM Posts 8	Re: Session problem with IIS7 Reply Contact  Ah, so that doesn't come from request.UserHostAddress.  How about checking that?

• 01-17-2009, 7:41 AM

  In reply to

  ingigauti Joined on 01-15-2009, 10:26 AM Posts 11

  Re: Session problem with IIS7 Reply Contact Request.UserHostAddress is the same, it's just a property that retrieve the ip address from the user, just like Request.Params["REMOTE_HOST"] and Request.Params["REMOTE_ADDR"] (although technically, HOST and ADDR isn't the same thing, in 99% of the time it is) I think I've found a fix for this problem, I'll post an update after the weekend, just wanted to try the changes that I've made to be sure they work

• 01-19-2009, 9:03 AM

  In reply to

  ingigauti Joined on 01-15-2009, 10:26 AM Posts 11

  Re: Session problem with IIS7 Reply Contact  Now the server has been running for few days with out any trouble. The solution was to move to Windows 2003 Sever. I copied the code from the win2k8 server to the win2k3 server, started it and everything works fine. On both servers I'm have the latest updates and .net 3.5 SP1. I know that there have been alot of changes between IIS 6 and 7, but what could possible make this strange behavior happend? Any ideas?

• 01-19-2009, 11:23 PM

  In reply to

  leotohill Joined on 04-16-2008, 3:39 PM Posts 8

  Re: Session problem with IIS7 Reply Contact Does your application do anything with the session cookie?  Does it address the session cookie at all, other than indirectly through the HttpSessionState.SessionId value?  Do you have  any Session_OnEnd() code? I doubt that IIS is generating duplicate session id values.   That would be a  big security issue.   It's a mystery. The only other thing I can think of is that someone is hacking in with known session ids. I suppose that that's very unlikely, right?

• 01-21-2009, 9:42 AM

  In reply to

  ingigauti Joined on 01-15-2009, 10:26 AM Posts 11

  Re: Session problem with IIS7 Reply Contact I've searched in every file in my project and the only usage that I can see with the SessionId is just as a get and never to set anything into it. I don't have anything in the global.asax that relates to the session, just setting some application variable.  The good news is that everything is running smoothly on win2k3, the bad news is that it's the same code that was running on win2k7 and didn't work

• 01-26-2009, 3:22 AM

  In reply to

  Shad66 Joined on 01-26-2009, 8:19 AM Posts 3	Re: Session problem with IIS7 Reply Contact  I have the exact same setup as you and I'm also experiencing the same problems! Can't seem to find any info on the web about this. Site works 100% in IIS 6, moving to win2008 and iis7, duplicat session id's are generated.

• 01-26-2009, 3:22 AM

  In reply to

  Shad66 Joined on 01-26-2009, 8:19 AM Posts 3	Re: Session problem with IIS7 Reply Contact  I have the exact same setup as you and I'm also experiencing the same problems! Can't seem to find any info on the web about this. Site works 100% in IIS 6, moving to win2008 and iis7, duplicate session id's are generated.

• 01-26-2009, 8:25 AM

  In reply to

  ingigauti Joined on 01-15-2009, 10:26 AM Posts 11

  Re: Session problem with IIS7 Reply Contact I'm sorry to say, but I'm kind of happy that I'm not alone. Sorry :) Is there anyone from Microsoft that looks at this forum? This seems like very important troubleshoot. Maybe it's a critical bug in IIS 7, I mean what is it called when everything works on IIS 6 but with the same code is on IIS 7 the session doesn't work? At least I would not recomend IIS 7 to anyone, while is a possible problem.

• 01-26-2009, 9:25 AM

  In reply to

  Shad66 Joined on 01-26-2009, 8:19 AM Posts 3	Re: Session problem with IIS7 Reply Contact Seems my friend has resolved this issue! Here's the short answer: Output caching on dynamic content - disable it :)

• 01-26-2009, 9:49 AM

  In reply to

  ingigauti Joined on 01-15-2009, 10:26 AM Posts 11	Re: Session problem with IIS7 Reply Contact  Great to hear. I'll try that, I also had output caching on dynamic content.

• 01-30-2009, 5:44 PM

  In reply to

  ingigauti Joined on 01-15-2009, 10:26 AM Posts 11	Re: Session problem with IIS7 Reply Contact Just wanted to let you, and everybody that will run into this problem, know that this was the problem, I'm running the application on IIS 7 right now for 1/2 a day, and everything seems to work fine. This is a huge bug in IIS7, let's hope that Microsoft knows about it.

• 02-09-2009, 1:47 AM

  In reply to

  anilr Joined on 05-23-2006, 10:13 PM Redmond, WA Posts 2,343	Re: Session problem with IIS7 Reply Contact You should not be enabling output caching for any response which depends on session state - I am not sure what the IIS bug here is. Anil Ruia Senior Software Design Engineer IIS Core Server

• 02-09-2009, 6:43 AM

  In reply to

  ingigauti Joined on 01-15-2009, 10:26 AM Posts 11

  Re: Session problem with IIS7 Reply Contact How can anybody know that? IIS actually uses .aspx and .axd as an example, and I bet that 95% of all dynamic pages uses session. There should be a fat warning sign in the "Add Cache Rule" window and IIS should detect if session is enable on the page. Where is it mentioned that session should be disabled on these pages? http://technet.microsoft.com/en-us/library/cc732475.aspx I'm still saying this is a bug in IIS and a major one. Sorry, I can't agree with you that this is by design when there is no mention about it Microsoft own documents. Even when pressing F1 when you are in the "Add Cache Rule" window in IIS, the help document comes up and there is nothing about not caching session pages.

• 07-01-2010, 4:22 PM

  In reply to

  ken.fleming@smartdrive.net Joined on 01-29-2008, 5:15 PM Posts 2

  Re: Session problem with IIS7 Reply Contact We have the same problem.  We turned of caching for aspx for both user and kernel and we thought we were safe, but we just had it happend again Questions:  Can MVC effect this since it does not make a request to aspx                      We do have caching still enabled on public portal (marketing site) from which the customer can log into the back end which is a secure site which has caching disabled.  Can this be the cause?

• 07-02-2010, 6:07 AM

  In reply to

  ingigauti Joined on 01-15-2009, 10:26 AM Posts 11

  Re: Session problem with IIS7 Reply Contact The problem is that you have the caching still enabled on the public portal, you can't have the caching enabled on any static or dynamic files that are served from the same domain. If you want to cache the static files the solution is to to setup a subdomain for your domain, something like static.yourdomain.com and serve all static content from that domain. The default session id doesn't transfer between subdomain so you are safe. This so called output caching in IIS7 is kinda f**ked up and useless.