15
votes

Background

  • We have one website running on IIS 6 (Win2003 Server) using .NET 3.5: site1.mysite.local
  • We have a second website running on IIS 7 (Win2008 Server) using .NET 4.0: site2.mysite.local

On each site, the web.config contains the StateServer and the same machineKey:

<sessionState mode="StateServer" stateConnectionString="tcpip=STATESRV01:42424" />

<machineKey decryptionKey="EDCDA6DF458176504BBCC720B4E29348E252E652591179E2" validationKey="CC482ED6B5D3569819B3C8F07AC3FA855B2FED7F0130F55D8405597C796457A2F5162D35C69B61F257DB5EFE6BC4F6CEBDD23A4112C4519F55185CB5EB3DFE61"/>

We also have a PostRequestHandlerExecute Event Handler to modify the "NET_SessionId" cookie to have the same root domain and path.

cookie.Domain = ".mysite.local";
cookie.Path = "/";

In the global.asax file, we have the following code to modify the App Name in the Application_Start event:

    protected void Application_Start(object sender, EventArgs e)
    {
        string applicationName = "mysiteapp";

        // Change the Application Name in runtime.
        FieldInfo runtimeInfo = typeof(HttpRuntime).GetField("_theRuntime",
            BindingFlags.Static | BindingFlags.NonPublic);
        HttpRuntime theRuntime = (HttpRuntime)runtimeInfo.GetValue(null);
        FieldInfo appNameInfo = typeof(HttpRuntime).GetField("_appDomainAppId",
            BindingFlags.Instance | BindingFlags.NonPublic);

        appNameInfo.SetValue(theRuntime, applicationName);
    }

Result

Both sites return the same Session ID, but when we try to set a session value on site1, site2 does not return a value.

Site 1 (site1.mysite.local) Result

Session ID (Session.SessionID): a55jnfcscxd3f0hnwoik02pp
Session Value: True

Site 2 (site2.mysite.local) Result

Session ID (Session.SessionID): a55jnfcscxd3f0hnwoik02pp
Session Value: 

Question

From my understanding, the State Server keys the session off of a combination of the SessionID cookie, the machine key, and the app name which we have tried to update so its the same across both sites. The problem is, the session value is not shared across the websites.

Why don't you use the SQL Server mode for Session State?

We might have to but we were hoping to use our State Server instead.

Has anyone had success with State Server with multiple web applications across multiple servers?

2

2 Answers

4
votes

.NET 3.5 and .NET 4 run different versions of the CLR. Object serialization (which is used for storing session state when not using InProc) differs between .NET versions. It's likely that the object is failing to be deserialized on another platform so it silently drops it. You would have the same problem if you use SQL Server as a Session State server too.

Assuming this is the problem then you're going to have to ensure both sites are on the same .NET version, or perform your own serialization to disk or SQL Server.

3
votes

StateServer and SQLServer state management also uses the application path (in addition to the application name) in creating the key for session data.

Your application is showing the same SessionID due to the cookie being read by both apps, however the application path must be the same as well to actually read the same session data on the state server.

You can change that to the same value with an extra overwrite in your Application_Start for this variable:

FieldInfo appPathInfo = typeof(HttpRuntime).GetField("_appDomainAppPath",
     BindingFlags.Instance | BindingFlags.NonPublic);

appPathInfo .SetValue(theRuntime, applicationName);