Why do I lose ASP Session State on IIS6 
A common, mysterious behavior encountered by ASP applications on IIS6 is the loss of session state. It seems to disappear more often and Session.Timeout seem to be ineffective. Why?
Question:
I have session.timout set to all day(1440 minutes).
But if my application has been idle more than 1 hour for example, my usser losts the session.
So, I checked the IIS properties.
I found the DefaultAppPool idle timeout property, which was set to shout down the worker procces after beiing idle for 20 minutes.
Should I set this property to 1440 minutes? Does it has something to do with session?
And there is some other property: health - shuth down the worker process after 90 minutes.
What about this property? Should be also set to 1440 minutes?
Thank you for your answer,
Answer:
Actually, none of the IIS configuration you mentioned, idle timeout or periodic shutdown, have anything to do with sessions directly, even though they can affect sessions. Let me explain.
Session State Concepts
Conceptually, this is how Session State works (it is pretty much the same for ASP, ASP.Net, JSP, etc - excluding ASP.Net cookieless session state):
- The HTTP protocol that the application framework (i.e. ASP, ASP.Net, JSP, etc) uses to transport requests/responses is stateless. This means that given two different users that view the same URL, the server should send back the same response. This is clearly not very interactive nor user-customized, so a long time ago Netscape came up with an idea to maintain state between clients and servers over HTTP - cookies.
- How cookies work to maintain state is simple: whenever an web application wants to maintain state (such as runtime session state) with the user of the web browser, it makes the web server return a Set-Cookie: response header with some ID and an arbitrary URL. The web browser is supposed to remember the cookie's contents (the ID), and whenever the user navigates to the matching URL (or below), it should send that content as a Cookie: request header to the server.
In other words, if the web application sets a cookie with an ID of "foobar" for the URL of "/app1" of a given website, whenever the browser navigates to this website it is supposed to return the cookie with an ID of "foobar" when the user's URL is "/app1/default.asp" but not "/app2/default.asp". Clearly, the web application just needs to set unique IDs and participating browsers will return the cookie so that the web application can later determine the unique user that is interacting with it based on the ID in the cookie.
- How a web application uses cookies to maintain session state is also simple: the application framework simply associates all the runtime state of the application with the ID (i.e. SessionID) and makes sure to send that ID with a Set-Cookie on the initial HTTP response, and whenever the web browser makes a subsquent request to the application's URL namespace, the application framework inspects the cookie header for an ID and if it is found, look up all of the associated runtime state and continue processing the web application with that state. Good application frameworks would also control the time period of validity for this runtime state via something like Session.Timeout.
Session State and Process Recycling
Now that the basics are out of the way, we can get to the question at hand. What does process recycling have anything to do with maintaining session state?
Well, remember that HTTP is stateless. This means that ASP Session State, which is runtime state located on the server, associated with a SessionID, and retrievable via a client-side cookie... must be stored SOMEWHERE in between HTTP requests such that it can be retrieved for subsequent requests by a web browser to give the illusion of "session state".
On IIS6, the ASP session state is stored in-process with whatever w3wp.exe that is executing ASP.DLL to process your ASP application. This state is valid for as long as the w3wp.exe is running.
Now, some of you may be wondering why setting Session.Timeout does not affect the validity of the session state with respect to process recycling. Well, Session.Timeout is basically an ASP concept relating to the period of validity of a given SessionID by ASP, and that has no clear mapping with the IIS6 concept of recycling a w3wp.exe based on various metrics. What happens if >1 ASP applications have different Session.Timeout values, why should ASP applications have privilege to set Application Pool recycling properties, and what happens if you want a recycling policy that conflicts with Session.Timeout behavior? Which should win?
Hopefully, the implication is now clear. Whenever you establish ASP session state (which is stored inside some w3wp.exe process), if you cause that w3wp.exe to recycle for any reason, the in-process session state will be lost regardless of the value of Session.Timeout. The health monitoring features of IIS6 Application Pool, such as the idle timeout or periodic recycling, all trigger a w3wp.exe recycle based on some metric. Thus, in order for you to preserve the logical concept of an ASP session state that times out after 1440 minutes, above all else, you have two basic choices:
- If you use In-Process ASP Session State (this is what is provided by default), then you need to make sure to configure IIS6 Application Pool health monitoring metrics to not recycle the w3wp.exe until after 1440 minutes from the last user request
- If you use Out-of-Process ASP Session State - then you do not need to worry about IIS6 Application Pool health monitoring metrics because your session state does not exist in the w3wp.exe and thus survives the w3wp.exe recycling
In your case, since you want to enforce the logical concept of ASP session timeout in 1440 minutes and you are using in-process ASP session state, you need to disable all health monitoring metrics since they can cause premature w3wp.exe recycling and loss of such state. In particular, you need to disable periodic recycling because even if you set it to 1440, it still breaks your logical concept. Suppose an user logs in 1439 minutes after the first request that started up the w3wp.exe... the w3wp.exe will still recycle in one minute because it is configured to recycle 1440 minutes after the first request that started it up. This means that the user just lost his/her session state after one minute of login. Meanwhile, idle timeout should be set to at least 1440 because the w3wp.exe will recycle only after 1440 or more minutes of inactivity - where the ASP session state is supposed to become invalid anyways so it does not matter that the w3wp.exe recycled.
//David
Comments
# re: Why do I lose ASP Session State on IIS6
The ASP session still seems to disappear after about 30 seconds (give or take) on our site.
We have changed the application pool, removed all health settings, we didnt have a global.asa because we are using a mysql database, but added one in to see if that mattered.
We setup loogging to log worker process recycling and nothing has been logged yet?
Thanks for any help you can provide.
Why are we losing our session?
# re: Why do I lose ASP Session State on IIS6
Based on what I have said about session state, you need to look at whether you are:
1. using in-process or out-of-process session state
2. If in-process, then are your requests all to the same process or somehow different processes. For example, Web Garden would befuddle session state because requests can bounce between the various worker processes of the Web Garden, confusing in-process session state. Or is something crashing or otherwise causing w3wp.exe recycling such that state is lost
3. Is there anything in the network stripping cookies or Set-Cookie to delete session state without ASP/Browser knowing about it.
Basically, for in-process session state, if you can show that:
1. Session state cookie is being saved and requested correctly by the browser and server
2. All requests were handled by ASP in the same process and the process is not crashing
3. But Session state is still randomly disappearing
Then I would contact Microsoft PSS for a paid-incident support to see if there is a possible bug there.
I am not aware of any ASP session state bugs in IIS6, but I will not discount the possibility (anything is possible with software...).
//David
# re: Why do I lose ASP Session State on IIS6
Mate just wan to know if setting out-of-process session state in IIS 6 is possible & how should one go about it ?
Many thanks for your answers uptil now.
# re: Why do I lose ASP Session State on IIS6
ASP.Net provides an Out-of-process Session State support by default.
Here is a thread that may be of interest:
http://forums.asp.net/623999/ShowPost.aspx
//David
# re: Why do I lose ASP Session State on IIS6
But as for the above, you make a comment (replying to someone else) that really hit the nail on the head for us, and I'm sure it must affect others.
You said that if one were using the (default) in-process session state and enabled a web garden this "would befuddle session state because requests can bounce between the various worker processes of the Web Garden".
I had just determined that this was indeed out problem. I offer this post to confirm for future readers that this is a real issue. If you have code that relies on sessions, and you enable the web garden feature (set max processes to > 1 for an app pool), you will experience this "curious" "intermittent" loss of sessions (or "unexplainable logouts").
The problem isn't work process recycling, nor even application domain restarts (other problems that can kill sessions or force logouts). Instead, it's just that the web garden feature can cause your requests to eventually be directed to a new worker process where the session you had is not existing.
Bottom line: if using sessions and you enable web gardens, you had better enable StateServer or SQLServer for session management.
Or is there anything else you or others would propose about this conclusion. If my thoughts here help even a fraction as much as yours have, I'm happy to have shared this.
PS It's a shame your comment feature doesn't enable us to enter our email address to be notified of any new comments. Is that something you can consider?
# re: Why do I lose ASP Session State on IIS6
The blog software (Community Server) does have a feature for one to enter email address to be notified of any new comments. I see a "Receive email notifications" link with the blog entry, and I use it to know when there is new feedback.
//David
# re: Why do I lose ASP Session State on IIS6
http://www.nieropwebconsult.nl/asp_session_manager.htm
//David
# re: Why do I lose ASP Session State on IIS6
Nieropwebconsult's solution is quite expensive.
# re: Why do I lose ASP Session State on IIS6
If you are losing your session and can't find any evidence of process recycling, check out this Microsoft KB article detailing a bug with MSIE 5.5 that may cause your client to break itself.
http://support.microsoft.com/kb/288993/en-us">Session Data Is Lost During POST to GET Redirect
# re: Why do I lose ASP Session State on IIS6
http://support.microsoft.com/kb/288993/en-us
# re: Why do I lose ASP Session State on IIS6
# re: Why do I lose ASP Session State on IIS6
Can someone elaborate on how this is done?
Is there a COM object to do this? Is it ASP hand coded?
Please explain.
Thank you!
# re: Why do I lose ASP Session State on IIS6
//David
# re: Why do I lose ASP Session State on IIS6
1. The client is not sending the correct session ID cookie
2. The session ID is not retrieving the correct session state
3. Something else
Also, can you describe the technical reason why you enable web garden? Read the following blog entry about performance/reliability tradeoffs for threading and web garden:
http://blogs.msdn.com/david.wang/archive/2006/03/14/Thoughts_on_Application_Pools_running_out_of_threads.aspx
//David
# re: Why do I lose ASP Session State on IIS6
ASP provides an implementation that stores the data in the memory of the process handing the ASP page. You have to either find or write an implementation that stores the data elsewhere, in a SQL Server, for example. This implementation can be exposed via COM object, etc.
Some people have written implementations to perform the above and charge for it; you are always free to write your own. Or you can upgrade to ASP.Net and use its free implementation of a SQL Server-based out-of-process session state service.
//David
# re: Why do I lose ASP Session State on IIS6
My web application works on machines without "_" but if there is a "_" in the name, I lose the session...
Thank you
# re: Why do I lose ASP Session State on IIS6
lose ASP session state "_"
The issue has nothing to do with IIS nor your web application but the loss of cookies.
//David
# re: Why do I lose ASP Session State on IIS6
We are upgrading from IIS 5 to IIS 6. We have 3 load balanced web servers. My question is in IIS6, do i still need to have same instance in IIS metabase for a website? i referred to http://support.microsoft.com/default.aspx?scid=kb;EN-US;q325056 for that. And do we have still have to generate a session key and put that same in machine.config on all 3 web servers?
I will appreciate your response.
Thanks!
saumin
# re: Why do I lose ASP Session State on IIS6
//David
# Session timeout virker nu som den skal.
# re: Why do I lose ASP Session State on IIS6
We are using in process session ,but when I turn on the webgarden we randomly loose session before the time out of session.
And when we turn off the web garden than it works fine.
# re: Why do I lose ASP Session State on IIS6
Instead of doing that, can you just recycle the process at a specific time, such as 1am., that would be the same right?
also how do you disable the webgarden (do you just set the # of processes to 1? )
# re: Why do I lose ASP Session State on IIS6
# re: Why do I lose ASP Session State on IIS6
# re: Why do I lose ASP Session State on IIS6
You can change the recycle settings within the IIS MMC - just get the porperties of the Applciation Pools. From here you can set it to recycle the process at specific times of the day or after a certain number of requests.
# re: Why do I lose ASP Session State on IIS6
We had "InProc" session management and the sessions would drop very randomly.
Background
We had a process which was logging the time and date the daemon process was run. See the below link, of what it has to say!
http://support.microsoft.com/kb/324772
Cause
if any file in the application's directory changes, the session would be lost!
Strange but true, MSFT calls it a feature, but honestly I think this is a flaw in the 「InProc」 session management of MSFT IIS 6 Server.
Solutions.
1.Change the session management algorithm
2.Don't update or create any files in the application server directory
# re: Why do I lose ASP Session State on IIS6
Hello!
I am developing a web site with ASP (Framework 1.1) and AJAX, which is running in a platform with the IIS6 in a Windows 2003 server.
The session always expired after 20 minutes. I tried modifying all the timeouts of the Application Pools, and at last I disabled all the timeouts, the recycling schemes...
Now my problem is that the static web pages run correctly, but the ones which are been updated lose the session after 20 minutes. The updating is done by means of AJAX requests each 8 minutes....
The strage thing is that this problem doesn't happens in a platform.
Could everyone help me?
Thank you very much!
# re: Why do I lose ASP Session State on IIS6
Following are the issue we are facing
1.In our case we are writting cookies through ASP file but then also after some idel time 20 minutes system could not read the values from cookies. In our application we are using ASP as well as .NET
2. After recycling session state is lost. as such we are not using any session variables but we are using the cookies. due to session expiration system could not read the cookies. But this behavior is not obnserved for each recycling time. some times it expire session and some time not. could not figure out how this is happening do you have any idea
# re: Why do I lose ASP Session State on IIS6
After upgrading to Service Pack 2 for Windows 2003 Server we noticed issues with session states in that browser session id's were switching unexpectidely causing problems with login forms and various other areas of our websites.
To solve the problem with sessions I created a custom application pool within IIS, selected the application pool properties and limited the number of worker process to 1. Anything more than 1 will cause IIS to spawn a new process and therefore assign a new session.
I have tested from a number of browsers and this works.
This is a fix for people creating sessions on the fly within IIS.
# re: Why do I lose ASP Session State on IIS6
Hello,
I am having real problem with this as well. I get the following error in the event log. A worker process with ID'12720' serving the defaultAppPool has requested a recycle because the worker process reached its allowed processing time limit.
I lose session variables when this happens(after reading the above article that is far enough).However, i am not sure why this error happens i have about maybe 75 pages which connect to a database and create conn and rs objects , and i have noticed the connection string is in Session object and many of the pages do not destroy the recordsets or the conn to the db properly after closing them ( i.e.set them to nothing) could this lazy coding be causing my issues cause this recylce is happening about once a day consistently . I have about 100 users at anyone time accessing the web site.
Basically i need the root cause of why the allowed processing time limit error is happening
Any help or ideas would be appreicated
Gavin
# re: Why do I lose ASP Session State on IIS6
I've had a problem on my site where, using classic ASP, the session variable gets halted/stalled and appears empty. Refresh sometimes clears the problem resulting in the session variable containing what it should have done originally. I've made sure the cookies are set correct and I've tried to remove any conflict with my AV software (Norton).
Could it be a VISTA IE7 thing?
Please, any ideas?
# re: Why do I lose ASP Session State on IIS6
Guys - THANK-YOU!!! We have been fiddling for 2 days (two of us) trying to figure out why sessions where lost every few minutes.
The web farm thing worked. Perfectly. All is up and running.
THANK-YOU AGAIN!!! You lot ROCK!
# re: Why do I lose ASP Session State on IIS6
The ASP (not .Net) session timeout is stored in the ASP application configuration. This is accessed via the website properties (not the application pool) on the Home Directory tab. Click the configuration button and then select the Options tab. You may then set the ASP session timeout valus in minutes which is 20 by default. This will terminate any session afetr 20 minutes on inactivity.
Note that this is independent of the application pool settings. In fact, you don't even need an application pool to utilize this setting. For instance, you can configure IIS 6 to run in IIS 5 compatibility mode (or just use IIS 5) and then configure your ASP Application Protection (Home Directory tab in website properties) to "Low (IIS Process)" which will run the application in-process (inside the inetinfo.exe process instead of w3wp.exe or dllhost.exe). Even in this scenario, the ASP timeout setting mentioned above is still effective.
For ASP.Net you can configure the session timout in your application's web.config. Look for the following line and configure accordingly:
# re: Why do I lose ASP Session State on IIS6
I just wanted to say thanks!! This post and the resulting comments helped me solve a nagging problem with users being 'randomly' logged out.
I am using classic ASP and the web garden was > 1. Once I dropped it to 1 the problem disappeared.
So it effects classic asp as well. Seems like the this information should really be added to the help section for IIS.
# re: Why do I lose ASP Session State on IIS6
Hello David,
I have taken over this project at my company and its developed in ASP, now they use session to identify pages, xx1 = apage.asp
Now i can tell you i am no good in ASP, just started learning it.
The session is created in the global.asa (dit some research on ASP and understand it) but the session is not created, now is this same project online on a different server and working.
But with me the sessions is just not created so i cant visit the pages, do you have any idea's?
I understand sessions and the global.asa a bit, but i cant find the problem so i cant solve the problem...
Kind regards,
Bryan
# re: Why do I lose ASP Session State on IIS6
12 hours later, our 'caching' problem (apparent random results assumed to be cached pages from previous requests) is solved simply by dropping the number of worker processes from 2 to 1 on our quad-core web server (fat lot of use that is!).
Thanks to all here for getting this page Google-able.
Gotta say that it's hard to believe that I'm using VS2008/C# 3.5/Win 2003 Server & IIS 6 and MS *STILL* haven't made it all hang together properly for multi-core web servers (y'know, like anything made in the past years ...).
Thanks again guys.
# re: Why do I lose ASP Session State on IIS6
John - Actually, Microsoft INTENTIONALLY did not make ASP hang properly on multi-core with the ease of ASP.Net
Microsoft has long made it hang together properly, from the beginning, for ASP.Net with the Session State Service. However, ASP predates all of this discussion, and there was a consciously decision in IIS6 to NOT produce a ASP Session State Service which would have addressed your concerns.
You can view the decision as -- by making an ASP Session State Service, that would be one more thing prohibiting people from migrating to ASP.Net -- so to promote ASP.Net and the future of .Net, ASP had to be less capable.
//David
# re: Why do I lose ASP Session State on IIS6
Hi David,
Your posts are very great assest to developers (great job!)
I have a web application written in ASP classic.
We have upgraded to IIS 6, and I was/am experiencing a session timeout problem, I searched the web and updated the IIS configuration to eleiminate the worker process recycling (and other settings as well that are listed above).
The problem is:
When I leave any page idle for about 10~25 minutes and try to go to any other page, I get the message "You are about to be redirected to a connection that is not secure.
The information you are sending to the current site might be retransmitted to a non-secure site. Do you with to continue?"
This happens while I am not using any secured page(https) in this application, and the session is lost again.
What could be the problem? What to search for? I am lost!
Please advice.
Thanks in advance.
# re: Why do I lose ASP Session State on IIS6
Correction:
Your posts are a great asset to developers (great job!)
# re: Why do I lose ASP Session State on IIS6
David, A quick question regarding what seems to be a recycling issue as well. With a couple of sites on iis6 and each one using their own application pool, there is one of them out of all the 6 that cannot seem to hold onto what i believe is a session. After about 60 minutes, not always, but around that time it seems that the session dies because i can no longer read the data stored in a simple script from a session. I believe it has everything to do with the fact that his site seems to be extremely slow and the single cause for his whole server to be lagging severely. Once i stop his site (which is largely ASP driven) the server regains its performance. As well the script is able to run without losing its session. I think its a simple matter of the site overloading asp threads, but i'm not to firm on the understanding of what happens in this case. Does the application pool moniter the asp threads, and once it reaches too many processes it recycles it and therefore causes the application object to lost its session?
# re: Why do I lose ASP Session State on IIS6
Having read these posts I think I have a situation that is unique that maybe someone can help answer. The session state is only being lost on one specific install of IE7. All other users are able to log in and retain the session state except for one user. The user is running Symantec Corporate and we disable this to ensure the virus software was not interfering.
Any suggestions on how this can occur?
# re: Why do I lose ASP Session State on IIS6
Robert - it sounds like that specific user is somehow disabling cookies, which is used to maintain session state between the browser and server.
//David
# re: Why do I lose ASP Session State on IIS6
David, all I can say is You Are Great!
Every time I have an issue I surf all kinds of forums googling my problem, and I never found such a great explanation on an issue as the one you have provided.
Here's what I do to manage webfarming on ASP using in process session state:
Use a redirection page that will contains the following code
==========================================
- Generate a Unique ID (This can easily be done by inserting into a "dummy" table that only contains an identity number)
- Every session element is saved into a table in the database that contains a unique ID, and the current DateTime:
ID / SessionVariableName / SessionVariableValue / DateTime
- POST the unique ID and the main page address of the current server (where the user would go to log in for the first time) to a receiving page in the new server and anyother POST if necesary
In the new server (receiving page)
- The Unique ID will be used to get the session variables from the DB and be defined in the new server.
- The current time is matched with the datetime saved in the db table plus a configurable value (1 minute at the most)
- If it matches, deletes all the entries for the selected UniqueID Ensuring that even if the time didn't pass, the session variables will not be available in the db.
- If it doesn't match redirect to the caller's home page (for security purposes).
Hope it helps!!
# re: Why do I lose ASP Session State on IIS6
Lucas - Actually, you describe an out-of-process session state implementation, which should work perfectly fine (and you've verified it!) :-)
The actual state values are in the database table, which is stored outside the process serving ASP. You essentially pass a SessionID around to any server in the web farm, which can access the same session state from the database, no matter which server in the web farm handles the request.
This is analogous in behavior to the ASP.Net Session State Service, and the design is quite effective at leverage IIS6 Web Gardens and Web Farms in a scale-out fashion to handle load.
//David