Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How does IIS recognize different sessions in .NET?

Tags:

asp.net

iis

Suppose I have logged into an application which is running from IIS. Now I haven't logged out, but closed the browser. And when I'm accessing the application again, it defaults to the login page. How does IIS recognize that it is a new request and redirects the user to the login page?

I have another question. Suppose if I'm not closing the browser, which I used when I logged in. I'm opening the new browser to request a page from same application. IIS recognizes that it's a new request to the application and redirects the user to login page. Why does it not use the existing session or cookies which the first browser uses?

Please don't get irritated of my continuous questions... I am having huge confusion. We say HTTP is a stateless protocol. Once the page is requested I have logged in. And the HTTP protocol connection will be terminated between IIS and browser, right? Then I am navigating to other pages in that logged in application. Now IIS recognises the user has logged in on this browser. But when I open a new browser and request that application, how does IIS recognises it is a new request? Since the HTTP protocol is disconnected, how does it work in the first case?

like image 445
Bala Avatar asked Aug 19 '10 11:08

Bala


People also ask

How does the server know the session?

Every time a user takes an action or makes a request on a web application, the application sends the session ID and cookie ID back to the server, along with a description of the action itself.

How IIS recognize that which web application we are?

In IIS we have virtual directories pointing to the url's , so depending on the url IIS knows which web application you are requesting.

Where is session stored in IIS?

Temporary files created as part of a user's interaction with your application are stored in Session State Storage. You can configure where session files are stored in the IIS publishing profile. Or in an existing profile using the Session State Storage Type property.

What is IIS session state?

Session state is a means by which Internet Information Services (IIS) 7 stores information about each unique client session. For example, if your Web site has a shopping cart application, the contents of each client's shopping cart can be stored in session state.


3 Answers

As you've correctly said, HTTP itself is stateless, and each request is technically separate from every other. Sessions, as used by web sites, are a workaround for that. What happens, normally, is that the server stores whatever info it cares to maintain between requests (like the logged-in user's username and/or ID, for example), and assigns that information an ID (called a "session ID"). It then tells the browser that session ID, in such a way that the browser can hand the ID back when it's time to make another request. If the browser plays its part and provides the session ID, then the stored information can be retrieved, updated, etc with each request, providing some degree of state even over a stateless protocol.

Sessions are usually implemented using cookies. That is, the server hands the browser a cookie with the session ID, and the browser hands back that same cookie with each request until the cookie expires or is otherwise forgotten. Some cookies (so-called "session cookies") aren't saved, and are forgotten when the browser is closed. A freshly opened browser doesn't have any session cookies to pass, so if the server uses session cookies to do sessions (which it should), it will consider the user not yet logged in and bounce them to the login page if they need to be logged in.

Session cookies will usually be shared between tabs in the same browser, and will sometimes even be shared by windows opened by "File > New Window" from an already running browser, because both of those cases will typically just be a part of that browser. But if you start the browser from the Start menu, or however your OS lets you start a program, it's a whole other process -- and session cookies are rarely shared between processes.

The server typically also only remembers sessions on its end for a limited time (anywhere from seconds to years, depending on the server and/or site settings) after each request that uses the session. If the browser passes a cookie that corresponds to a session the server no longer remembers, it'll act as if there's no session at all. Which, in cases where you have to log in, will again bounce to the login page.

like image 86
cHao Avatar answered Oct 11 '22 05:10

cHao


There are cookies that are passed always no matter are you logged or not. They are mapped to session in IIS.

like image 30
Andrey Avatar answered Oct 11 '22 06:10

Andrey


Check out the following articles. They might be helpful.

  • IIS Dropping Sessions

  • Session Management in ASP.NET

like image 20
Sachin Shanbhag Avatar answered Oct 11 '22 05:10

Sachin Shanbhag