Why do I lose ASP Session State on IIS6


A common, mysterious behavior encountered by ASP applications on IIS6 is the loss of session state. It seems to disappear more often and Session.Timeout seem to be ineffective. Why?


Question:


I have session.timout set to all day(1440 minutes).


But if my application has been idle more than 1 hour for example, my usser losts the session.


So, I checked the IIS properties.


I found the DefaultAppPool idle timeout property, which was set to shout down the worker procces after beiing idle for 20 minutes.


Should I set this property to 1440 minutes?  Does it has something to do with session?


And there is some other property: health – shuth down the worker process after 90 minutes.


What about this property? Should be also set to 1440 minutes?


Thank you for your answer,


Answer:


Actually, none of the IIS configuration you mentioned, idle timeout or periodic shutdown, have anything to do with sessions directly, even though they can affect sessions. Let me explain.


Session State Concepts


Conceptually, this is how Session State works (it is pretty much the same for ASP, ASP.Net, JSP, etc – excluding ASP.Net cookieless session state):



  1. The HTTP protocol that the application framework (i.e. ASP, ASP.Net, JSP, etc) uses to transport requests/responses is stateless. This means that given two different users that view the same URL, the server should send back the same response. This is clearly not very interactive nor user-customized, so a long time ago Netscape came up with an idea to maintain state between clients and servers over HTTP – cookies.
  2. How cookies work to maintain state is simple: whenever an web application wants to maintain state (such as runtime session state) with the user of the web browser, it makes the web server return a Set-Cookie: response header with some ID and an arbitrary URL. The web browser is supposed to remember the cookie’s contents (the ID), and whenever the user navigates to the matching URL (or below), it should send that content as a Cookie: request header to the server.

    In other words, if the web application sets a cookie with an ID of “foobar” for the URL of “/app1” of a given website, whenever the browser navigates to this website it is supposed to return the cookie with an ID of “foobar” when the user’s URL is “/app1/default.asp” but not “/app2/default.asp”. Clearly, the web application just needs to set unique IDs and participating browsers will return the cookie so that the web application can later determine the unique user that is interacting with it based on the ID in the cookie.


  3. How a web application uses cookies to maintain session state is also simple: the application framework simply associates all the runtime state of the application with the ID (i.e. SessionID) and makes sure to send that ID with a Set-Cookie on the initial HTTP response, and whenever the web browser makes a subsquent request to the application’s URL namespace, the application framework inspects the cookie header for an ID and if it is found, look up all of the associated runtime state and continue processing the web application with that state. Good application frameworks would also control the time period of validity for this runtime state via something like Session.Timeout.

Session State and Process Recycling


Now that the basics are out of the way, we can get to the question at hand. What does process recycling have anything to do with maintaining session state?


Well, remember that HTTP is stateless. This means that ASP Session State, which is runtime state located on the server, associated with a SessionID, and retrievable via a client-side cookie… must be stored SOMEWHERE in between HTTP requests such that it can be retrieved for subsequent requests by a web browser to give the illusion of “session state”.


On IIS6, the ASP session state is stored in-process with whatever w3wp.exe that is executing ASP.DLL to process your ASP application. This state is valid for as long as the w3wp.exe is running.


Now, some of you may be wondering why setting Session.Timeout does not affect the validity of the session state with respect to process recycling. Well, Session.Timeout is basically an ASP concept relating to the period of validity of a given SessionID by ASP, and that has no clear mapping with the IIS6 concept of recycling a w3wp.exe based on various metrics. What happens if >1 ASP applications have different Session.Timeout values, why should ASP applications have privilege to set Application Pool recycling properties, and what happens if you want a recycling policy that conflicts with Session.Timeout behavior? Which should win?


Hopefully, the implication is now clear. Whenever you establish ASP session state (which is stored inside some w3wp.exe process), if you cause that w3wp.exe to recycle for any reason, the in-process session state will be lost regardless of the value of Session.Timeout. The health monitoring features of IIS6 Application Pool, such as the idle timeout or periodic recycling, all trigger a w3wp.exe recycle based on some metric. Thus, in order for you to preserve the logical concept of an ASP session state that times out after 1440 minutes, above all else, you have two basic choices:



  1. If you use In-Process ASP Session State (this is what is provided by default), then you need to make sure to configure IIS6 Application Pool health monitoring metrics to not recycle the w3wp.exe until after 1440 minutes from the last user request
  2. If you use Out-of-Process ASP Session State – then you do not need to worry about IIS6 Application Pool health monitoring metrics because your session state does not exist in the w3wp.exe and thus survives the w3wp.exe recycling

In your case, since you want to enforce the logical concept of ASP session timeout in 1440 minutes and you are using in-process ASP session state, you need to disable all health monitoring metrics since they can cause premature w3wp.exe recycling and loss of such state. In particular, you need to disable periodic recycling because even if you set it to 1440, it still breaks your logical concept. Suppose an user logs in 1439 minutes after the first request that started up the w3wp.exe… the w3wp.exe will still recycle in one minute because it is configured to recycle 1440 minutes after the first request that started it up. This means that the user just lost his/her session state after one minute of login. Meanwhile, idle timeout should be set to at least 1440 because the w3wp.exe will recycle only after 1440 or more minutes of inactivity – where the ASP session state is supposed to become invalid anyways so it does not matter that the w3wp.exe recycled.


//David

Comments (58)

  1. John says:

    Thanks for your detailed response however we have tried your recommendations and nothing has worked for us.

    The ASP session still seems to disappear after about 30 seconds (give or take) on our site.

    We have changed the application pool, removed all health settings, we didnt have a global.asa because we are using a mysql database, but added one in to see if that mattered.

    We setup loogging to log worker process recycling and nothing has been logged yet?

    Thanks for any help you can provide.

    Why are we losing our session?

  2. David Wang says:

    John – Are you saying that session state does not work at all, or that it works for a couple of requests and then suddenly stops working.

    Based on what I have said about session state, you need to look at whether you are:

    1. using in-process or out-of-process session state

    2. If in-process, then are your requests all to the same process or somehow different processes. For example, Web Garden would befuddle session state because requests can bounce between the various worker processes of the Web Garden, confusing in-process session state. Or is something crashing or otherwise causing w3wp.exe recycling such that state is lost

    3. Is there anything in the network stripping cookies or Set-Cookie to delete session state without ASP/Browser knowing about it.

    Basically, for in-process session state, if you can show that:

    1. Session state cookie is being saved and requested correctly by the browser and server

    2. All requests were handled by ASP in the same process and the process is not crashing

    3. But Session state is still randomly disappearing

    Then I would contact Microsoft PSS for a paid-incident support to see if there is a possible bug there.

    I am not aware of any ASP session state bugs in IIS6, but I will not discount the possibility (anything is possible with software…).

    //David

  3. Tim says:

    Quite a good explaination David ……..

    Mate just wan to know if setting out-of-process session state in IIS 6 is possible & how should one go about it ?

    Many thanks for your answers uptil now.

  4. David Wang says:

    ASP does not provide Out-of-process Session State support by default. Egbert Nierop has written such an implementation, as has others.

    ASP.Net provides an Out-of-process Session State support by default.

    Here is a thread that may be of interest:

    http://forums.asp.net/623999/ShowPost.aspx

    //David

  5. charlie arehart says:

    David, your posts are wonderful (just found them, and I’m printing most of them out to learn).

    But as for the above, you make a comment (replying to someone else) that really hit the nail on the head for us, and I’m sure it must affect others.

    You said that if one were using the (default) in-process session state and enabled a web garden this "would befuddle session state because requests can bounce between the various worker processes of the Web Garden".

    I had just determined that this was indeed out problem. I offer this post to confirm for future readers that this is a real issue. If you have code that relies on sessions, and you enable the web garden feature (set max processes to > 1 for an app pool), you will experience this "curious" "intermittent" loss of sessions (or "unexplainable logouts").

    The problem isn’t work process recycling, nor even application domain restarts (other problems that can kill sessions or force logouts). Instead, it’s just that the web garden feature can cause your requests to eventually be directed to a new worker process where the session you had is not existing.

    Bottom line: if using sessions and you enable web gardens, you had better enable StateServer or SQLServer for session management.

    Or is there anything else you or others would propose about this conclusion. If my thoughts here help even a fraction as much as yours have, I’m happy to have shared this.

    PS It’s a shame your comment feature doesn’t enable us to enter our email address to be notified of any new comments. Is that something you can consider?

  6. David Wang says:

    Charlie – Thanks for the encouragement and information. Yes… the basic issue is that Web Garden introduces multiple processes to service requests while in-process state is not automatically copied across processes… so you either need to avoid state, manually synchronize it, or centralize and share the state in an out-of-process session state store.

    The blog software (Community Server) does have a feature for one to enter email address to be notified of any new comments. I see a "Receive email notifications" link with the blog entry, and I use it to know when there is new feedback.

    //David

  7. David Wang says:

    Got the link from Egbert – Out-of-process session state for ASP compatible with recycling.

    http://www.nieropwebconsult.nl/asp_session_manager.htm

    //David

  8. Alex says:

    Is there any free Out-of-process session state for ASP available?

    Nieropwebconsult’s solution is quite expensive.

  9. Brian says:

    Great information here, thank you David. I have been running around in circles for quite some time on a session problem with ASP.NET, and I wanted to point to another bit of information that I didn’t find referenced in many places on the web.

    If you are losing your session and can’t find any evidence of process recycling, check out this Microsoft KB article detailing a bug with MSIE 5.5 that may cause your client to break itself.

    <a href="http://support.microsoft.com/kb/288993/en-us">Session Data Is Lost During POST to GET Redirect</a>

  10. Tracy Davenport says:

    We are using out of process session (state server) due to a load-balanced webfarm.  But when I turn on the webgarden we randomly loose session (2 min, 4 min, etc. when session timeout is set to 20 min).  No one else has experienced this?

  11. Dave says:

    I’ve seen people mention using SQL server to maintain state.

    Can someone elaborate on how this is done?

    Is there a COM object to do this? Is it ASP hand coded?

    Please explain.

    Thank you!

  12. David.Wang says:

    It’s another 10K entry!

    //David

  13. David.Wang says:

    Tracy – if you are saying that things work perfectly without web garden but randomly fails with web garden, then it is important to determine if the cause is due to:

    1. The client is not sending the correct session ID cookie

    2. The session ID is not retrieving the correct session state

    3. Something else

    Also, can you describe the technical reason why you enable web garden? Read the following blog entry about performance/reliability tradeoffs for threading and web garden:

    http://blogs.msdn.com/david.wang/archive/2006/03/14/Thoughts_on_Application_Pools_running_out_of_threads.aspx

    //David

  14. David.Wang says:

    Dave – session state is simply a blob of data which a web page can retrieve with an ID. The ID comes from the browser; the blob of data can be stored either in a data structure inside the same process or elsewhere, using memory, SQL, disk, etc.

    ASP provides an implementation that stores the data in the memory of the process handing the ASP page. You have to either find or write an implementation that stores the data elsewhere, in a SQL Server, for example. This implementation can be exposed via COM object, etc.

    Some people have written implementations to perform the above and charge for it; you are always free to write your own. Or you can upgrade to ASP.Net and use its free implementation of a SQL Server-based out-of-process session state service.

    //David

  15. Julien says:

    Has anybody heard about the loss of the session when the name of the server contains "_"?

    My web application works on machines without "_" but if there is a "_" in the name, I lose the session…

    Thank you

  16. David.Wang says:

    Julien – that behavior is actually by-design. I found the answer by searching for:

    lose ASP session state "_"

    The issue has nothing to do with IIS nor your web application but the loss of cookies.

    //David

  17. Saumin says:

    hi david,

    We are upgrading from IIS 5 to IIS 6. We have 3 load balanced web servers. My question is in IIS6, do i still need to have same instance in IIS metabase for a website? i referred to http://support.microsoft.com/default.aspx?scid=kb;EN-US;q325056 for that. And do we have still have to generate a session key and put that same in machine.config on all 3 web servers?

    I will appreciate your response.

    Thanks!

    saumin

  18. David.Wang says:

    Saumin – No idea. Your questions are best answered on an ASP.Net Forum such as http://www.asp.net or by applicable KB articles based on your ASP.Net version.

    //David

  19. Imran Balouch says:

    We are also experiencing the same problem as of Tracy.

    We are using in process session ,but when I turn on the webgarden we randomly loose session before the time out of session.

    And when we turn off the web garden than it works fine.

  20. zeeomar says:

    "Application Pool health monitoring metrics to not recycle the w3wp.exe until after 1440 minutes from the last user request "

    Instead of doing that, can you just recycle the process at a specific time, such as 1am., that would be the same right?

    also how do you disable the webgarden (do you just set the # of processes to 1? )

  21. utsav says:

    Hi everyone, can any one tell me where i can find the registry entry of application pool properties.. ie in performance tab for shutdown worker process after boing idle

  22. naidelih says:

    Hi does the javascript affect session timeout. i have a problem maintaining my session state i set it to timeout by 400 (400 minutes) I have a javascript(serves as a timer countdown within 50 minutes). the purpose of the java is to submit the page after 50 minutes but i lose session after that. any suggestions pls.

  23. Adam says:

    You can change the recycle settings within the IIS MMC – just get the porperties of the Applciation Pools. From here you can set it to recycle the process at specific times of the day or after a certain number of requests.

  24. Sridhar says:

    We had "InProc" session management and the sessions would drop very randomly.

    Background

    We had a process which was logging the time and date the daemon process was run. See the below link, of what it has to say!

    http://support.microsoft.com/kb/324772

    Cause

    <b>if any file in the application’s directory changes, the session would be lost! </b>

    Strange but true, MSFT calls it a feature, but honestly I think this is a flaw in the “InProc” session management of MSFT IIS 6 Server.

    Solutions.

    1.Change the session management algorithm

    2.Don’t update or create any files in the application server directory

  25. Ro says:

    Hello!

    I am developing a web site with ASP (Framework 1.1) and AJAX, which is running in a platform with the IIS6 in a Windows 2003 server.

    The session always expired after 20 minutes. I tried modifying all the timeouts of the Application Pools, and at last I disabled all the timeouts, the recycling schemes…

    Now my problem is that the static web pages run correctly, but the ones which are been updated lose the session after 20 minutes. The updating is done by means of AJAX requests each 8 minutes….

    The strage thing is that this problem doesn’t happens in a platform.

    Could everyone help me?

    Thank you very much!

  26. Girish says:

    Following are the issue we are facing

    1.In our case we are writting cookies through ASP file but then also after some idel time 20 minutes system could not read the values from cookies. In our application we are using ASP as well as .NET

    2. After recycling session state is lost. as such we are not using any session variables but we are using the cookies. due to session expiration system could not read the cookies. But this behavior is not obnserved for each recycling time. some times it expire session and some time not.  could not figure out how this is happening do you have any idea

  27. Mark Houldridge says:

    After upgrading to Service Pack 2 for Windows 2003 Server we noticed issues with session states in that browser session id’s were switching unexpectidely causing problems with login forms and various other areas of our websites.

    To solve the problem with sessions I created a custom application pool within IIS, selected the application pool properties and limited the number of worker process to 1.  Anything more than 1 will cause IIS to spawn a new process and therefore assign a new session.

    I have tested from a number of browsers and this works.  

    This is a fix for people creating sessions on the fly within IIS.

  28. Gavin campbel says:

    Hello,

    I am having  real problem with this as well. I get the following error in the event log. A worker process with ID’12720′ serving the defaultAppPool has requested a recycle because the worker process reached its allowed processing time limit.

    I lose session variables when this happens(after reading the above article that is far enough).However, i am not sure why this error happens i have about maybe 75 pages which connect to a database and create conn and rs objects , and i have noticed the connection string is in Session object and many of the pages do not destroy the recordsets or the conn to the db properly after closing them ( i.e.set them to nothing) could this lazy coding be causing my issues cause this recylce is happening about once a day consistently . I have about 100 users at anyone time accessing the web site.

    Basically i need the root cause of why the allowed processing time limit error is happening

    Any help or ideas would be appreicated

    Gavin

  29. Simcha says:

    I’ve had a problem on my site where, using classic ASP, the session variable gets halted/stalled and appears empty.  Refresh sometimes clears the problem resulting in the session variable containing what it should have done originally.  I’ve made sure the cookies are set correct and I’ve tried to remove any conflict with my AV software (Norton).  

    Could it be a VISTA IE7 thing?

    Please, any ideas?

  30. Michael Smit says:

    Guys – THANK-YOU!!! We have been fiddling for 2 days (two of us) trying to figure out why sessions where lost every few minutes.

    The web farm thing worked. Perfectly. All is up and running.

    THANK-YOU AGAIN!!! You lot ROCK!

  31. John Homer says:

    The ASP (not .Net) session timeout is stored in the ASP application configuration. This is accessed via the website properties (not the application pool) on the Home Directory tab. Click the configuration button and then select the Options tab. You may then set the ASP session timeout valus in minutes which is 20 by default. This will terminate any session afetr 20 minutes on inactivity.

    Note that this is independent of the application pool settings. In fact, you don’t even need an application pool to utilize this setting. For instance, you can configure IIS 6 to run in IIS 5 compatibility mode (or just use IIS 5) and then configure your ASP Application Protection (Home Directory tab in website properties) to "Low (IIS Process)" which will run the application in-process (inside the  inetinfo.exe process instead of w3wp.exe or dllhost.exe). Even in this scenario, the ASP timeout setting mentioned above is still effective.

    For ASP.Net you can configure the session timout in your application’s web.config. Look for the following line and configure accordingly:

    <sessionState mode="InProc" cookieless="false" timeout="20"/>

  32. EricWiz says:

    I just wanted to say thanks!! This post and the resulting comments helped me solve a nagging problem with users being ‘randomly’ logged out.

    I am using classic ASP and the web garden was > 1. Once I dropped it to 1 the problem disappeared.

    So it effects classic asp as well. Seems like the this information should really be added to the help section for IIS.

  33. Bryan says:

    Hello David,

    I have taken over this project at my company and its developed in ASP, now they use session to identify pages, xx1 = apage.asp

    Now i can tell you i am no good in ASP, just started learning it.

    The session is created in the global.asa (dit some research on ASP and understand it) but the session is not created, now is this same project online on a different server and working.

    But with me the sessions is just not created so i cant visit the pages, do you have any idea’s?

    I understand sessions and the global.asa a bit, but i cant find the problem so i cant solve the problem…

    Kind regards,

    Bryan

  34. John says:

    12 hours later, our ‘caching’ problem (apparent random results assumed to be cached pages from previous requests) is solved simply by dropping the number of worker processes from 2 to 1 on our quad-core web server (fat lot of use that is!).

    Thanks to all here for getting this page Google-able.

    Gotta say that it’s hard to believe that I’m using VS2008/C# 3.5/Win 2003 Server & IIS 6 and MS *STILL* haven’t made it all hang together properly for multi-core web servers (y’know, like anything made in the past years …).

    Thanks again guys.

  35. David.Wang says:

    John – Actually, Microsoft INTENTIONALLY did not make ASP hang properly on multi-core with the ease of ASP.Net

    Microsoft has long made it hang together properly, from the beginning, for ASP.Net with the Session State Service. However, ASP predates all of this discussion, and there was a consciously decision in IIS6 to NOT produce a ASP Session State Service which would have addressed your concerns.

    You can view the decision as — by making an ASP Session State Service, that would be one more thing prohibiting people from migrating to ASP.Net — so to promote ASP.Net and the future of .Net, ASP had to be less capable.

    //David

  36. Scorpion says:

    Hi David,

    Your posts are very great assest to developers (great job!)

    I have a web application written in ASP classic.

    We have upgraded to IIS 6, and I was/am experiencing a session timeout problem, I searched the web and updated the IIS configuration to eleiminate the worker process recycling (and other settings as well that are listed above).

    The problem is:

    When I leave any page idle for about 10~25 minutes and try to go to any other page, I get the message "You are about to be redirected to a connection that is not secure.

    The information you are sending to the current site might be retransmitted to a non-secure site. Do you with to continue?"

    This happens while I am not using any secured page(https) in this application, and the session is lost again.

    What could be the problem? What to search for? I am lost!

    Please advice.

    Thanks in advance.

  37. Scorpion says:

    Correction:

    Your posts are a great asset to developers (great job!)

  38. Stephen Botha says:

    David, A quick question regarding what seems to be a recycling issue as well. With a couple of sites on iis6 and each one using their own application pool, there is one of them out of all the 6 that cannot seem to hold onto what i believe is a session. After about 60 minutes, not always, but around that time it seems that the session dies because i can no longer read the data stored in a simple script from a session. I believe it has everything to do with the fact that his site seems to be extremely slow and the single cause for his whole server to be lagging severely. Once i stop his site (which is largely ASP driven) the server regains its performance. As well the script is able to run without losing its session. I think its a simple matter of the site overloading asp threads, but i’m not to firm on the understanding of what happens in this case. Does the application pool moniter the asp threads, and once it reaches too many processes it recycles it and therefore causes the application object to lost its session?

  39. Robert says:

    Having read these posts I think I have a situation that is unique that maybe someone can help answer.  The session state is only being lost on one specific install of IE7.  All other users are able to log in and retain the session state except for one user.  The user is running Symantec Corporate and we disable this to ensure the virus software was not interfering.  

    Any suggestions on how this can occur?

  40. David.Wang says:

    Robert – it sounds like that specific user is somehow disabling cookies, which is used to maintain session state between the browser and server.

    //David

  41. Lucas says:

    David, all I can say is You Are Great!

    Every time I have an issue I surf all kinds of forums googling my problem, and I never found such a great explanation on an issue as the one you have provided.

    Here’s what I do to manage webfarming on ASP using in process session state:

    Use a redirection page that will contains the following code

    ==========================================

    – Generate a Unique ID (This can easily be done by inserting into a "dummy" table that only contains an identity number)

    – Every session element is saved into a table in the database that contains a unique ID, and the current DateTime:

    ID / SessionVariableName / SessionVariableValue / DateTime

    – POST the unique ID and the main page address of the current server (where the user would go to log in for the first time) to a receiving page in the new server and anyother POST if necesary

    In the new server (receiving page)

    – The Unique ID will be used to get the session variables from the DB and be defined in the new server.

    – The current time is matched with the datetime saved in the db table plus a configurable value (1 minute at the most)

    – If it matches, deletes all the entries for the selected UniqueID Ensuring that even if the time didn’t pass, the session variables will not be available in the db.

    – If it doesn’t match redirect to the caller’s home page (for security purposes).

    Hope it helps!!

  42. David.Wang says:

    Lucas – Actually, you describe an out-of-process session state implementation, which should work perfectly fine (and you’ve verified it!) 🙂

    The actual state values are in the database table, which is stored outside the process serving ASP. You essentially pass a SessionID around to any server in the web farm, which can access the same session state from the database, no matter which server in the web farm handles the request.

    This is analogous in behavior to the ASP.Net Session State Service, and the design is quite effective at leverage IIS6 Web Gardens and Web Farms in a scale-out fashion to handle load.

    //David

  43. Leandro Tami says:

    @Lucas & David Wang: Be extremely careful with that approach! You should make sure that session ids are not only unique but unpredictible as well, or someone might just tamper their POST parameter a bit and stole someone else’s session!

    Using an identity field as a session id generator is probably the worst idea because it will generate sequential IDs. I recommend you to do a small change: remove identity to the SessionID field and assign it "newid()" as default value. That will generate random alphanumerical strings which are possibly extremely difficult to predict. If you still need it to be numerical, then use a random function.

    Oh, and finally, make sure you’re deleting records of expired sessions and not accumulating them in the session table

  44. Nitin says:

    Hi All,

    I have little different kind of plroblem.

    ———————————————–

    I am using VS 2005 ASp.Net. and in my web application i manage my Session out proc state i.e. in Sql Server. there are two module in it. in which one is working fine and all the session variable mantain properly but in another module some of the session variable losing its value with in 5 sec on the same page or either on redirect on the other page. i can change my session variable name but still the problem exist.

    Thanks,

    Nitin

  45. Chris Yao says:

    I’m lost.

    If by default, the WWW service establishes an overlapped recycle, in which the worker process that is to be shut down is kept running until after a new worker process is started, how come the session state will be lost?

    (http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/24e3c22e-79a9-4f07-a407-dbd0e7f35432.mspx?mfr=true)

  46. Just D. says:

    A new look of the old problem. Thanks for this article! Really, we got the same problem on our server, and I’m testing the server and its settings basing on this article.

  47. Robert says:

    Hi David,

    I wanted to report back that after trying everything I could to resolve my issue with session state I was not able to resolve it.  I recently had a PC crash and had to rebuild from scratch. (Don’t worry, I had a recent back-up of everything).

    When I diagnosed the reason for the crash it was related to a corrupt registry.  My registry was massive and I now believe it was the root of this issue.  (I previously tried some registry cleaning software and none of them worked.  I have also read that many of these cause more harm than good and should not be used.)

    So while there are a lot of great suggestions here about resolving session state problems, if none of them work you may have my issue and require a complete rebuild.  I do not know if there could have been other solutions, but when I consider the hours spent searching for solutions and trying different things, in the end the fastest solution was to do a clean install of everything.

    Hopefully this post will help others avoid the hours of frustration trying to resolve this problem.

  48. BEK says:

    David,

    We have an 3rd party application developed using Framework 1.1, which is running on a platform using IIS6 in a Windows 2003 server.

    The application randomly "loses" the session variables.  When this occurs the aspx pages throw the "Object reference not set …" exception.

    I have tracked the occurences back thru the Web site log and I am seeing a number of sc-win32-status = "64" errors.

    When the "64" error occurs in the GET 200 transaction of the first page, the sc-bytes value is much smaller than normal, the time-taken value is much higher than normal, and the called aspx page throws the exception when trying to use the Session values in creating its content.

    Below is a section of the Web log showing the "normal" behaviour vs the behaviour when a "64" error is encounterd.  

    Normal behaviour

    cs-method cs-uri-stem sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken

    GET /App1/Page1.aspx 200 0 0 22869 495 406

    POST /App1/Page1.aspx 302 0 0 453 4834 265

    GET /App1/Page2.aspx 200 0 0 15374 603 312

    Abnormal Behaviour

    cs-method cs-uri-stem sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken

    GET /App1/Page1.aspx 200 0 64 288 495 812

    POST /App1/Page1.aspx 302 0 0 453 1850 171

    GET /App1/Page2.aspx 200 0 0 1124 603 328

    Notice the sc-bytes value shrinks from 22869 to 288, the time-take increases from 406 to 812, and the sc-bytes for Page2.aspx shrinks from 15374 to 1124.

    Do you have any ideas on what is happening?

    Thanks

  49. Pamela Hansard says:

    I have the same question as Chris Yao stated above, which does not appear to have been addressed yet.

    **************************************************

    If by default, the WWW service establishes an overlapped recycle, in which the worker process that is to be shut down is kept running until after a new worker process is started, how come the session state will be lost?

    (http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/24e3c22e-79a9-4f07-a407-dbd0e7f35432.mspx?mfr=true)

    **************************************************

  50. Chhengkong says:

    Hi Dear

     Can you help me about losing session. I use webconfig for control session all the page but it usually losing session I don’t know the problem. If you know can you tell me?

  51. Yan says:

    My session state is set to serverstate, and timeout is set to 60 minutes, however each session still expires in about 20 minutes.

  52. Yan says:

    I mean session state is StateServer in the last post

  53. Yogesh says:

    Hi David,

    Thank you very much for such a great information. I am facing early timeout problem. Everywhere I have marked as 20 minutes, but session times out just after login or after logged in and searched any thing in our application, it throws the user out of the application (session timeout). This is well running application for last 2 years and now we are facing the problem.

    Environment: ASP.NET 2.0, W2K3 server, Load Balanced Clustered Servers.

    I have checked Web.config file of Application, Application session timeout in IIS, Default website session timeout in IIS, Worker process idle timeout of application pool, Recycle timeout period of application pool, Antivirus setting and everywhere it is mentioned correctly i.e. 20 minutes.

    I am not able to resolve the issue and client is asking for urgent resolution.

  54. Michael says:

    I’m facing the same problem. I’m working with a  web farm. Could be tha case that my web application is being redirected to a new Worker process? in that case, how can I trace this behavior, I mean How can I now if this issue is happening.

    Thanks

  55. Sridhar says:

    Hi,

    I am having a situation where the worker process seems to recycle every so often, sometime within seconds. This does not happen if the user logging into the website has admin access to the server. We are running the website on IIS6 & ASP.Net 2.0 with a few simple Ajax controls.

    Looked at all the options provided in this thread but without luck. Any inputs on the problem are appreciated.

    Regards

    Sridhar

  56. Tim says:

    I’ve been having the same problem as many described where my application would timeout very quickly. Since I was using session variables to maintain authentication state, I had to log back in frequently. The problem was the "Web Garden" feature where I had set "max number of worker processes = 20". Now that I cut the processes down to 1, my application maintains the session state and my authentication state is stable for the 20minute timeout period.

    Many thanks for your explanations on here!