Geeks With Blogs

News




What I do:

Identity Mine

MVVM Light

GalaSoft


What I am:

Microsoft Most Valuable Professional, Client Application Development

Microsoft Certified Technology Specialist, Windows Presentation Foundation

WPF disciples


Social:


View my profile on LinkedIn

XING
Creative Commons License
Diary of a Code Trotter by Laurent Bugnion is licensed under a Creative Commons Attribution 3.0 Unported License

All source code on this blog is licensed under the MIT license.

Copyright (c) 2006 - 2011 GalaSoft Laurent Bugnion

Laurent Bugnion (GalaSoft) Diary of a Code Trotter
I only recently became aware of another breaking change in ASP.NET 2.0: In order to optimize session state management, some changes have been implemented. One of the most puzzling ones when you're not aware of it can be reproduced as follows:
  • In ASP.NET 1.1, create a new web application.
  • Add a label to the page, name it lblSessionID.
<asp:Label Runat="server" ID="lblSessionID" />
  • In the code behind, add the following code in the "Page_Load" method:
protected void Page_Load(object sender, EventArgs e) { lblSessionID.Text = this.Session.SessionID; }
  • Load the page in the web browser. Press F5 as many times as you like, and the SessionID remains the same.
This behaviour is expected, and my guess is that quite a few applications rely on the SessionID being consistent on every page refresh.
However, in ASP.NET 2.0, the behaviour is different, which may cause applications to break: If you create a new website (or a new web application) and reproduce all the steps above, the SessionID will be different on every refresh of the page. The reason is found in MSDN:
"When using cookie-based session state, ASP.NET does not allocate storage for session data until the Session object is used. As a result, a new session ID is generated for each page request until the session object is accessed. If your application requires a static session ID for the entire session, you can either implement the Session_Start method in the application's Global.asax file and store data in the Session object to fix the session ID, or you can use code in another part of your application to explicitly store data in the Session object."
Since cookie-based session state is the default, this change of behaviour will affect existing web applications relying on the SessionID to identify the current user without having previously stored data in the Session object.
Here is a possible fix:
protected void Page_Load(object sender, EventArgs e) { if ( this.Session[ "dummy" ] == null ) { this.Session[ "dummy" ] = 1; } lblSessionID.Text = this.Session.SessionID; }
Not very elegant, and I can't say that I totally understand the reason why the ASP.NET team doesn't offer a better way to keep the SessionID consistent all the time, even when nothing is stored in the Session object. Anyway, this has caused me a few headaches, so hopefully this article will help other developers.
Posted on Sunday, February 25, 2007 2:51 PM Technical stuff , .NET , ASP.NET 2.0 | Back to top


Comments on this post: Another breaking change in ASP.NET 2.0: Session.SessionID

# re: Another breaking change in ASP.NET 2.0: Session.SessionID
Requesting Gravatar...
Thanks for posting this. I've been trying for nearly two hours to figure out what changed from 1.1 to 2.0. MSDN doesn't make it obvious at all.

Regards,
LRK
Left by LRK on Mar 22, 2007 10:22 PM

# re: Another breaking change in ASP.NET 2.0: Session.SessionID
Requesting Gravatar...
Useful info and necessary for some of us working with complex sites with series of integrated forms.
Left by Techno Pig on Mar 30, 2007 2:51 PM

# re: Another breaking change in ASP.NET 2.0: Session.SessionID
Requesting Gravatar...
Thx...It's really nice article...
Left by Dilip Namdeo on May 08, 2007 11:03 PM

# re: Another breaking change in ASP.NET 2.0: Session.SessionID
Requesting Gravatar...
Thanks, for the comments. It helped a lot. I have wasted a week to find a solution for that. Great Work !!!!
Left by Ajith Kumar A.J on May 20, 2007 9:42 PM

# re: Another breaking change in ASP.NET 2.0: Session.SessionID
Requesting Gravatar...
Just one quick question.

When using session state with cookie, the sessionID is stored as a non-persistent cookie on the client side. And as soon as the browser closes, the Session ID cookie is destroyed, right ?

Thanks,
Left by Tarique on May 30, 2007 10:17 AM

# re: Another breaking change in ASP.NET 2.0: Session.SessionID
Requesting Gravatar...
Hi,

Yes, it's correct. However it doesn't mean that the session on the server expires immediately. If the session is not abandoned explicitly, it will expire (and the corresponding object in memory will be deleted) only after a timeout, which you can set in the web.config file (default 20 minutes).

Also, note that the session ID cookie is linked to the process on the client. Firefox runs only one process, always. So if you have multiple windows, they all run in the same process, and they all have the same session ID. For IE however, multiple processes are possible (you can have more than one IEXPLORE.EXE in the Task manager). So there is a different session ID for each instance of IEXPLORE.EXE. Multiple windows can run in one instance of this process, so these windows will have the same session ID. It's a bit confusing, I know...

HTH,
Laurent
Left by Laurent on May 30, 2007 5:56 PM

# re: Another breaking change in ASP.NET 2.0: Session.SessionID
Requesting Gravatar...
Thank you sooooooooooo much. I have been struggling with this problem for a few hours now.
Left by Hannes Calitz on Sep 27, 2007 2:11 AM

Comments have been closed on this topic.
Copyright © Laurent Bugnion | Powered by: GeeksWithBlogs.net