SQL Server session state in ASP.NET

Question

I have a website hosted on a shared hosting server. Currently I'm using in-proc session state, but I'm facing issues like whenever I change the code (mostly noticed in App_Code), my session breaks and the user is logged out. I have some questions:

1. Is there anything which can help me prevent losing the session when I change the code?
2. If that's its normal behaviour, then how about switching to SQL Server session state?
3. Can I configure it on a shared hosting server? What would be the steps?
4. Do I have access to the session using a normal Session object or do I need to go the usual database connection way?

I've tried configuring it from my local machine, using the aspnet_regsql command, and I provided the hosting server with the database IP. It finished successfully, but it didn't work when I made changes to the web.config file.

These are my changes to web.config:

<sessionState
   mode="SQLServer"
   sqlConnectionString="data source=[DB IP];user id=username;password=password;initial catalog=[db name on production]"
/>

Am I doing anything wrong here?

Answer 1

I can really only answer your first question:

"1. Is there anything which can help me prevent losing the session when I change the code?"

Annoyingly there is nothing that can be done. Once you "bounce" the website (e.g. modify the web.config) you will cause all sessions to end and everyone gets logged out due to the loss of the log in data being removed.

It sounds like you might be better off changing this up to use FormsAuthentication (this is MVC.NET code but the code is still valid for other asp.net applications) as that is stable across code changes e.g.

using System.Web.Security;

public function ActionResult Login(LoginModel model)
{
    var password = FormsAuthentication.HashPasswordForStoringInConfigFile(model.Password 
    + System.Configuration.ConfigurationManager.AppSettings["salt"].ToString(), "sha1");

    if (new UserService().Login(model.EmailAddress, password))
    {
        FormsAuthentication.RedirectFromLoginPage(model.EmailAddress, true);
    }
}

Using FormsAuthentication will mean that your users will be "remembered" by asp.net land and changing the web.config won't kill their logged in session.

If you use this method, but still want to log a user out when they close their browser, you could at the point of logging in above set a session cookie, a standard session cookie not a session variable that is volatile across code changes. This cookie will be killed off by the browser when the user closes their browser. The cookie could be as simple as a "loggedIn:yes". This cookie along with a check against the FormsAuthentication Identity value e.g.

if(!HasLoginCookie() || !System.Web.HttpContext.Current.User.Identity.IsAuthenticated)
{
   // redirect user to log in page.
}

will then log a user out if the cookie has been remove. FormsAuthentication will also automatically log out after a set amount of time of inactivity which adds an extra layer of security. Hope this helps.

Answer 2

Check the session state modes http://msdn.microsoft.com/en-us/library/vstudio/ms178586%28v=vs.100%29.aspx

You need to use something else than "in-proc".

In terms of shared hosting - I have experience with only discountasp.net and am using sql server session state with no issues. It requires another database but works well.

I also guess you'll have to use the:

allowCustomSqlDatabase="true"

in your web config as database name for your sessions differs from default name.

Check this http://msdn.microsoft.com/en-us/library/h6bb9cz9%28v=vs.90%29.aspx