0
votes

I'm guetting out of ideas. I'm trying to use the same SessionState between two .Net 4 apps running under the same application pool and using mode="StateServer". I did a test on both app and I have a curious result: SessionID is shared, but not the actual session items.

How does it work internally? Is this a security restriction documented somewhere?

Screenshot 1 - I'm setting a session item (a simple date in TestData) in app#1 /SecureSessionTest.aspx: enter image description here

Screenshot 2 - I'm reading the same session item TestData in app#2 /Apps/SecureSessionTest.aspx, but only the SessionID appears: Screenshot1: SessionID is shared, but not item TestData

I can even set different data in the same Session("key"). Weird!

They both have this in their web.config:

<machineKey validationKey='7D1094A0FC13B6656141916F69F6E25D0F112A6E94BD3EF5DAEFD9755A367C09607E7D76827AC5ACAD14456665C4E0966F632F09522475758A815A4045BF3F25'   decryptionKey='F0DF9FA0522E541FF246ADD8BC285A10E984444AE4361631' validation='SHA1'/>
<sessionState mode="StateServer" stateConnectionString="tcpip=localhost:42424" timeout="60" regenerateExpiredSessionId="false" cookieName="XXXXXXXX_ASP.NET_SessionId" />

Any ideas? Help is very appreciated!

Carl

2
This is a relative simple solution while using sql server as session storage: blogs.msdn.com/b/toddca/archive/2007/01/25/…VinayC

2 Answers

1
votes

The StateServer keys the session off of a combination of the SessionID cookie, the machine key, AND the application name.

Try having the two applications share the same application pool.

This previous question may be illuminating: Session State and Application Pool

(If my initial suggestion doesn't work please comment and I'll dig deeper)

0
votes

@Ash is right, the session is based off the sessionID (which is dependent on the machine key as well as the website domain), and application name, but I did get it to work on a single site across application directories (sounds like your scenario) - see my answer on state server session - cross appDomain?

It sounds like the piece you're missing is the explicitly setting the application name in the global.asax (using reflection - I haven't found a configuration setting for this). I just found out about that after googling for the setup all morning.