473,737 Members | 1,913 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

BUG: Response.Redire ct causes premature session expiration when using cookieless sessions (.NET 1.1.4322)

Hi gang,

This one looks like a bug :o(

As you may or may not know, setting session management in web.config to use
cookieless sessions causes the ASP.NET runtime to munge a session ID into
the URL, in the format http://yourapplicationpath/(Session.SessionID)/...
which saves numerous headaches when it comes to storing state across page
requests and sessions.

It works very well for us - our website at www.listersgroup.co.uk uses
cookieless sessions to good effect, with one minor drawback. It appears that
whenever I use Response.Redire ct(...) to move the client to a new page, the
ASP.NET runtime wasn't built to handle it when cookieless sessions were
being used.

Example:
Create a new Web Form in your chosen language. Set the web.config file to
use cookieless sessions:

<sessionState mode="InProc" cookieless="tru e" timeout="30" />

Make a condition in your webform in the Subroutine which is called via
Page.OnLoad:

if (Request.QueryS tring("redirect ") = "true") {
Response.Redire ct("thisWebForm .aspx");
}

or

If Request.QuerySt ring("redirect" ) = "true" Then
Response.Redire ct("thisWebForm .aspx")
End If

Watch as the session ID, which is munged into the URL, is magically ignored
and a new one is chosen and re-munged in.

This is causing loads of problems, and I'm looking to find a solution which
will work regardless of location. If no-one else beats me to it, I'll post a
workaround as soon as I'm done!

Help?

Kind regards,
Anthony
Nov 18 '05 #1
10 7929
"Anthony Williams" <to**@bigtone.n et> wrote in message
news:O6******** ********@TK2MSF TNGP10.phx.gbl. ..
Hi gang,

This one looks like a bug :o(

As you may or may not know, setting session management in web.config to use cookieless sessions causes the ASP.NET runtime to munge a session ID into
the URL, in the format http://yourapplicationpath/(Session.SessionID)/...
which saves numerous headaches when it comes to storing state across page
requests and sessions.

It works very well for us - our website at www.listersgroup.co.uk uses
cookieless sessions to good effect, with one minor drawback. It appears that whenever I use Response.Redire ct(...) to move the client to a new page, the ASP.NET runtime wasn't built to handle it when cookieless sessions were
being used.

Example:
Create a new Web Form in your chosen language. Set the web.config file to
use cookieless sessions:

<sessionState mode="InProc" cookieless="tru e" timeout="30" />

Make a condition in your webform in the Subroutine which is called via
Page.OnLoad:

if (Request.QueryS tring("redirect ") = "true") {
Response.Redire ct("thisWebForm .aspx");
}

or

If Request.QuerySt ring("redirect" ) = "true" Then
Response.Redire ct("thisWebForm .aspx")
End If

Watch as the session ID, which is munged into the URL, is magically ignored and a new one is chosen and re-munged in.

This is causing loads of problems, and I'm looking to find a solution which will work regardless of location. If no-one else beats me to it, I'll post a workaround as soon as I'm done!


Did you try to include the session id in the URL passed to
Response.Redire ct?
--
John Saunders
johnwsaundersii i at hotmail
Nov 18 '05 #2
This might well be a bug, but I am not quite convinced. There are a couple
of things to look at, as well as some architectural decisions.

First, are you load balanced in any way? If so, you may have an issue here
with the keys used to encrypt ViewState, et al. You have to manually set
these in a farm, even one with the same state server.

Second, have you messed with any state settings in either the page, the
web.config or machine.config.

Third, it is possible that bubble up of events affects this adversely.

Architectural:
The norm in ASP.NET is writing it like ASP, which is a horrible trend, IMO.
This means we write a single function in a page, rather than treat a page
like a class with multiple related functions. To rearchitect, you may end up
with different panels that are available or hidden, and routes that ignore
the hidden input, but it will get you around the munge issue with cookieless
session state. If your developers do not have a background in windows
programming, a few sample apps will get this concept down. Once you work
with the methodology, you will find it is sound and gets you away from the
issue you are having. You may be too late in the cycle to do this.

If I get the chance, I will play with this a bit and see if I can figure out
any ideas to aid you.

--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA

*************** *************** *************** ***
Think Outside the Box!
*************** *************** *************** ***
"Anthony Williams" <to**@bigtone.n et> wrote in message
news:O6******** ********@TK2MSF TNGP10.phx.gbl. ..
Hi gang,

This one looks like a bug :o(

As you may or may not know, setting session management in web.config to use cookieless sessions causes the ASP.NET runtime to munge a session ID into
the URL, in the format http://yourapplicationpath/(Session.SessionID)/...
which saves numerous headaches when it comes to storing state across page
requests and sessions.

It works very well for us - our website at www.listersgroup.co.uk uses
cookieless sessions to good effect, with one minor drawback. It appears that whenever I use Response.Redire ct(...) to move the client to a new page, the ASP.NET runtime wasn't built to handle it when cookieless sessions were
being used.

Example:
Create a new Web Form in your chosen language. Set the web.config file to
use cookieless sessions:

<sessionState mode="InProc" cookieless="tru e" timeout="30" />

Make a condition in your webform in the Subroutine which is called via
Page.OnLoad:

if (Request.QueryS tring("redirect ") = "true") {
Response.Redire ct("thisWebForm .aspx");
}

or

If Request.QuerySt ring("redirect" ) = "true" Then
Response.Redire ct("thisWebForm .aspx")
End If

Watch as the session ID, which is munged into the URL, is magically ignored and a new one is chosen and re-munged in.

This is causing loads of problems, and I'm looking to find a solution which will work regardless of location. If no-one else beats me to it, I'll post a workaround as soon as I'm done!

Help?

Kind regards,
Anthony

Nov 18 '05 #3
"Cowboy (Gregory A. Beamer) [MVP]" <No************ @comcast.netNoS pamM> wrote
in message news:OM******** ******@TK2MSFTN GP09.phx.gbl...
This might well be a bug, but I am not quite convinced. There are a couple
of things to look at, as well as some architectural decisions.

First, are you load balanced in any way? If so, you may have an issue here
with the keys used to encrypt ViewState, et al. You have to manually set
these in a farm, even one with the same state server.
Nope - I've actually disabled ViewState (originally I thought this may
actually be the root cause of the problem) - and whilst we're not in a
load-balanced situation (yet) we're already prepared for multiple servers -
all of the keys in machine.config and web.config match on each server.
Second, have you messed with any state settings in either the page, the
web.config or machine.config.
The only change I've made is to increase the session timeout from 20 to 30
minutes:

<sessionState mode="InProc" cookieless="tru e" timeout="30" />
Third, it is possible that bubble up of events affects this adversely.
Again, I thought this might be a problem, but we've ruled this out too. All
the events fire correctly, bubbling up as they should, and everything is
handled as it should be - the problem occurs only when Response.Redire ct is
called with a relative URL.

Also, it appears that - when using debug and the watch windows - that
Request.Uri.Abs oluteUri.ToStri ng completely ignores the inline munged
SessionID. In fact, all the methods of Request.Uri ignore the fact that
there is a SessionID in parenthesis in the requested URL. Perhaps this is a
client/server communication problem, and not a problem in the ASP.NET
runtime itself... I don't know.
Architectural:
The norm in ASP.NET is writing it like ASP, which is a horrible trend,
IMO.
This means we write a single function in a page, rather than treat a page
like a class with multiple related functions. To rearchitect, you may end
up
with different panels that are available or hidden, and routes that ignore
the hidden input, but it will get you around the munge issue with
cookieless
session state. If your developers do not have a background in windows
programming, a few sample apps will get this concept down. Once you work
with the methodology, you will find it is sound and gets you away from the
issue you are having. You may be too late in the cycle to do this.
We've actually got our project and classes set up in a similar way to the
IBS portal, whereby placeholders are used, and User Controls are added using
Placeholder.Con trols.Add(LoadC ontrol("...")) in the order in the
database/XML file we're using.
If I get the chance, I will play with this a bit and see if I can figure
out
any ideas to aid you.


Cool, though for the record, I'm currently using this as a workaround, and
it seems to work just fine:

Public Shared Sub ResponseRedirec t()
HttpContext.Cur rent.Response.R edirect(HttpCon text.Current.Re quest.Url.Absol uteUri.ToLower. Replace(HttpCon text.Current.Re quest.Applicati onPath.ToLower,
HttpContext.Cur rent.Request.Ap plicationPath.T oLower + "/(" +
HttpContext.Cur rent.Session.Se ssionID + ")"))
End Sub
Public Shared Sub ResponseRedirec t(ByVal PathAndQuery As String)
HttpContext.Cur rent.Response.R edirect(HttpCon text.Current.Re quest.Url.Schem e
+ HttpContext.Cur rent.Request.Ur l.SchemeDelimit er +
HttpContext.Cur rent.Request.Ur l.Host +
HttpContext.Cur rent.Request.Ap plicationPath + "/(" +
HttpContext.Cur rent.Session.Se ssionID + ")/" + PathAndQuery)
End Sub
Thanks for the help! If you do find anything out, I'd be very interested in
seeing it!

Regards,
Anthony
Nov 18 '05 #4
John,

When using relative URL fragments, it's not that easy to simply include the
munged sessionID - I've posted a workaround, as a reply to Gregory's
response, which shows how I'm getting around the problem, by using an
absolute URL which is pieced together using various
HttpContext.Cur rent.Request objects and putting the SessionID in manually.

Regards,
Anthony

"John Saunders" <jo************ **@notcoldmail. com> wrote in message
news:eg******** ******@tk2msftn gp13.phx.gbl...
"Anthony Williams" <to**@bigtone.n et> wrote in message
news:O6******** ********@TK2MSF TNGP10.phx.gbl. ..
Hi gang,

This one looks like a bug :o(

As you may or may not know, setting session management in web.config to

use
cookieless sessions causes the ASP.NET runtime to munge a session ID into
the URL, in the format http://yourapplicationpath/(Session.SessionID)/...
which saves numerous headaches when it comes to storing state across page
requests and sessions.

It works very well for us - our website at www.listersgroup.co.uk uses
cookieless sessions to good effect, with one minor drawback. It appears

that
whenever I use Response.Redire ct(...) to move the client to a new page,

the
ASP.NET runtime wasn't built to handle it when cookieless sessions were
being used.

Example:
Create a new Web Form in your chosen language. Set the web.config file to
use cookieless sessions:

<sessionState mode="InProc" cookieless="tru e" timeout="30" />

Make a condition in your webform in the Subroutine which is called via
Page.OnLoad:

if (Request.QueryS tring("redirect ") = "true") {
Response.Redire ct("thisWebForm .aspx");
}

or

If Request.QuerySt ring("redirect" ) = "true" Then
Response.Redire ct("thisWebForm .aspx")
End If

Watch as the session ID, which is munged into the URL, is magically

ignored
and a new one is chosen and re-munged in.

This is causing loads of problems, and I'm looking to find a solution

which
will work regardless of location. If no-one else beats me to it, I'll
post

a
workaround as soon as I'm done!


Did you try to include the session id in the URL passed to
Response.Redire ct?
--
John Saunders
johnwsaundersii i at hotmail

Nov 18 '05 #5
Anthony - Here's a stupid question. Does your app write anything to
session? I don't know about cookiesless but my understanding of inproc
session is that sessionid is not persisted until something adds to session
i.e. a simple session.Add("my Var","Hello World") will cause sessionid to be
persisted.

Brad

"Anthony Williams" <to**@bigtone.n et> wrote in message
news:O6******** ********@TK2MSF TNGP10.phx.gbl. ..
Hi gang,

This one looks like a bug :o(

As you may or may not know, setting session management in web.config to use cookieless sessions causes the ASP.NET runtime to munge a session ID into
the URL, in the format http://yourapplicationpath/(Session.SessionID)/...
which saves numerous headaches when it comes to storing state across page
requests and sessions.

It works very well for us - our website at www.listersgroup.co.uk uses
cookieless sessions to good effect, with one minor drawback. It appears that whenever I use Response.Redire ct(...) to move the client to a new page, the ASP.NET runtime wasn't built to handle it when cookieless sessions were
being used.

Example:
Create a new Web Form in your chosen language. Set the web.config file to
use cookieless sessions:

<sessionState mode="InProc" cookieless="tru e" timeout="30" />

Make a condition in your webform in the Subroutine which is called via
Page.OnLoad:

if (Request.QueryS tring("redirect ") = "true") {
Response.Redire ct("thisWebForm .aspx");
}

or

If Request.QuerySt ring("redirect" ) = "true" Then
Response.Redire ct("thisWebForm .aspx")
End If

Watch as the session ID, which is munged into the URL, is magically ignored and a new one is chosen and re-munged in.

This is causing loads of problems, and I'm looking to find a solution which will work regardless of location. If no-one else beats me to it, I'll post a workaround as soon as I'm done!

Help?

Kind regards,
Anthony

Nov 18 '05 #6
Hi Anthony,

Based on my test, I just create a two simple pages in my web project ,
page1.aspx and page2.aspx. I set the session as inprocess and cookieless.
And in page1.aspx, I use the following code in a button's click eventhandler

Private Sub Button1_Click(B yVal sender As System.Object, ByVal e As
System.EventArg s) Handles Button1.Click
Response.Redire ct("page2.aspx" )

End Sub

and I've also tried Server.Transfer ("page2.aspx "), they all works well
without starting a new sessionid in url. But I did meet problems when
change the url path as root based url such as

Response.Redire ct("/approot/page2.aspx") and also found the following
article which also mentioned this behavior
http://www.eggheadcafe.com/PrintSear...asp?LINKID=401

Hope helps.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Get Preview at ASP.NET whidbey
http://msdn.microsoft.com/asp.net/whidbey/default.aspx

Nov 18 '05 #7
"Anthony Williams" <to**@bigtone.n et> wrote in message
news:%2******** ********@TK2MSF TNGP10.phx.gbl. ..
I'm currently using this as a workaround, and it seems to work just fine:

Public Shared Sub ResponseRedirec t()

HttpContext.Cur rent.Response.R edirect(HttpCon text.Current.Re quest.Url.Absol uteUri.ToLower. Replace(HttpCon text.Current.Re quest.Applicati onPath.ToLower,
HttpContext.Cur rent.Request.Ap plicationPath.T oLower + "/(" +
HttpContext.Cur rent.Session.Se ssionID + ")"))
End Sub
Public Shared Sub ResponseRedirec t(ByVal PathAndQuery As String)

HttpContext.Cur rent.Response.R edirect(HttpCon text.Current.Re quest.Url.Schem e
+ HttpContext.Cur rent.Request.Ur l.SchemeDelimit er +
HttpContext.Cur rent.Request.Ur l.Host +
HttpContext.Cur rent.Request.Ap plicationPath + "/(" +
HttpContext.Cur rent.Session.Se ssionID + ")/" + PathAndQuery)
End Sub


Anyone using the above may wish to try this newer, more reliable version
out:

Public Shared Sub Redirect()
HttpContext.Cur rent.Response.R edirect( _
HttpContext.Cur rent.Request.Ur l.AbsoluteUri.T oLower.Replace( _
HttpContext.Cur rent.Request.Ap plicationPath.T oLower, _
HttpContext.Cur rent.Request.Ap plicationPath.T oLower & _
"/(" & HttpContext.Cur rent.Session.Se ssionID & ")"))
End Sub

Public Shared Sub Redirect(ByVal PathAndQuery As String)
Dim RedirectUrl As String
If HttpContext.Cur rent.Request.Ap plicationPath = "/" Then
RedirectUrl = HttpContext.Cur rent.Request.Ur l.Scheme &
HttpContext.Cur rent.Request.Ur l.SchemeDelimit er &
HttpContext.Cur rent.Request.Ur l.Host & "/(" &
HttpContext.Cur rent.Session.Se ssionID & ")"
Else
RedirectUrl = HttpContext.Cur rent.Request.Ur l.Scheme &
HttpContext.Cur rent.Request.Ur l.SchemeDelimit er &
HttpContext.Cur rent.Request.Ur l.Host &
HttpContext.Cur rent.Request.Ap plicationPath & "/(" &
HttpContext.Cur rent.Session.Se ssionID & ")"
End If

RedirectUrl &= IIf(PathAndQuer y.StartsWith("/"), "", "/") &
PathAndQuery

HttpContext.Cur rent.Response.R edirect(Redirec tUrl)
End Sub
Nov 18 '05 #8
"Brad" <no****@co.lane .or.us> wrote in message
news:u8******** ******@TK2MSFTN GP12.phx.gbl...
Anthony - Here's a stupid question. Does your app write anything to
session? I don't know about cookiesless but my understanding of inproc
session is that sessionid is not persisted until something adds to session
i.e. a simple session.Add("my Var","Hello World") will cause sessionid to
be
persisted.


AFAIK, Session.Session ID is persisted from the first request, though my
Global class sets quite a few things on Session_Start.
Nov 18 '05 #9
Hmmm. I tried your example and the cooklies id is remaining constant for
me. Did a response redirect based on querystring param and response
redirect based on postback of a link button and in both instances the munged
id in the url remained constant. This was tested using framework 1.1
(vs2003) on win2003 server.

Brad

"Anthony Williams" <to**@bigtone.n et> wrote in message
news:eT******** *****@TK2MSFTNG P12.phx.gbl...
"Brad" <no****@co.lane .or.us> wrote in message
news:u8******** ******@TK2MSFTN GP12.phx.gbl...
Anthony - Here's a stupid question. Does your app write anything to
session? I don't know about cookiesless but my understanding of inproc
session is that sessionid is not persisted until something adds to session i.e. a simple session.Add("my Var","Hello World") will cause sessionid to be
persisted.


AFAIK, Session.Session ID is persisted from the first request, though my
Global class sets quite a few things on Session_Start.

Nov 18 '05 #10

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

7
2187
by: Eduardo M?ndez | last post by:
Hello: I have an aspx page with a TextBox and a DropDownListBox both have Autopostback property set to true and some code in the TextChanged and SelectedIndexChanged events. When text in TextBox is changed and the DropDownListBox is expanded with the mouse (this fires text changed event) the page gets blank. This only happens when the aspx is contained by a frame.
1
4937
by: Jon Paugh | last post by:
Hi, So in Application_Error method in Global class of my ASP.NET web project, I add: HttpContext.Current.Session = "SomeSessionThing"; Then, in Application_Error method I Response.Redirect to a error page. In the page's load, I check the value of
0
1245
by: Fabrício de Novaes Kucinskis | last post by:
Hi all, My ASP.net application uses Windows Authentication. When using Forms Authentication, if the session expires, the common thing to do is to redirect the user to the login page again. But what to do when using Windows Authentication? Thanks in advance,
2
3760
by: David Berman | last post by:
It seems that my site is losing session information when using Server.Transfer. I have a page called PictureGallery.aspx. It takes an argument which is an index id, so it would look like PictureGallery.aspx?id=30 to display gallery 30. In this way I have a database driven picture gallery. To improve indexing, I put code in Global.asax to allow me to get to the same page with a url like this: Pictures_30.aspx. There is no...
0
950
by: Joer996 | last post by:
I am using StateServer and URIs to manage state. Here is my web.config line <sessionState mode="StateServer" stateConnectionString="tcpip=localhost:42424" cookieless="UseUri" timeout="500"/> Everything works fine until I try to use a relative path in a link. ex href="../index.aspx" This causes the session to restart. Can anyone tell me why this is? It
3
2538
by: Michael | last post by:
Hi, If I use SQL Server to store session state, whenever I call Session is there a call to SQL Server? Even if I call Session a few times in the same Web page, or even the same code block? I'm asking because if there is one SQL Server call every time I have Session, then I should store that in a local variable, right?
1
6746
by: Mark Baker | last post by:
Hi, I am using Cookieless Forms Authentication. Due to this I get the session ID in the URL as follows: http://localhost/testcookie/(S(112ny2vvuypkkg55pzcyk4qd))/default.aspx How can I hide this session Id string from being displayed in the URL while using Cookieless form authentication?
6
1255
by: Waldy | last post by:
Hi there, I have a very simple three page web application that I am having trouble with. If there are any problems with any of the parameters that are passed to the first page, I want to redirect to an error page and display a message. However, when I call Response.Redirect, I get an exception "Thread was being aborted". I have set the EndResponse parameter set to true. The first page does not actually have any output, could that be...
3
3458
by: Moe Sisko | last post by:
Using dotnet 2.0 sp1, I've got ASP.NET session state working ok in SQLServer mode, but the sessions never seem to expire. e.g if I add a timeout attribute like so : <sessionState mode="SQLServer" sqlConnectionString="Integrated Security=SSPI;data source=localhost" timeout="1" >
0
8786
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
9204
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
1
6749
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
6052
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
0
4567
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
0
4823
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
3278
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
2
2744
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
3
2192
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.