Redis Session State Provider not deleting keys on Session Abandon

Question

I am storing the Session State in an Azure Redis Cache, using this procedure.

The NuGet RedisSessionStateProvider saves you Session State in Redis and you can manage it as it was clasiccal inProc Session.

When the user login i make something like this:

AuthenticationManager.SignIn(new AuthenticationProperties() { IsPersistent = isPersistent }, identity);
Session.Add("key", "value");

The session value is created an available all time in the application. If you look at your REDIS cache you will see this two keys snurztvlyl2jk5wnzstjikln_Internal snurztvlyl2jk5wnzstjikln_Data where snurztvlyl2jk5wnzstjikln is the SessionID.

When I signout:

public ActionResult LogOff()
{
Session.Abandon();
AuthenticationManager.SignOut();
return RedirectToAction("Index", "Home");
}

The user SignOut but if I look at the redis cache the values persist. They are not deleted and only are deleted after the session time out. I also tried Session.Clear() and the keys in the Redis cache still persist.

Why the keys are not deleted or what am I doing wrong?

Update I create a public repo reproducing this issue https://github.com/ricardopolo/RedisIssue

Answer 1

I contacted the creators of the NuGet RedisSessionStateProvider and they explain me its a expected behavior.

They said:

Now you perform Logout which calls “Session.Abandon()”. This operation actually removes session from Redis but then RedirectToAction("Index", "Home") causes call to “GetItemExclusive” (a method inside session state provider) which tries to find session but didn’t find so it in turn calls “CreateUninitializedItem” which creates empty session with SessionStateActions set to InitializeItem (or 1). So at this point if you do HGETALL on this session you will see key “SessionStateActions” and not “Key”. Because this is newly created empty session and not the old one.

This is how ASP.NET MVC is designed. You should see same behavior with all other providers as well. Check (http://msdn.microsoft.com/en-us/library/ms178587(v=vs.140).aspx) for more details about session state methods and their meaning.

Answer 2

I was kind of able to reproduce it. After Session.Abandon() everything is removed from cache but then ResetItemTimeout gets called and it updates internal key (*_Internal). So user sees Internal key in Redis. But I don't see *_Data available after Session.Abandon() which contains actual session data.

I have resolved this bug related to *_Internal and released a new nuget package. (https://www.nuget.org/packages/Microsoft.Web.RedisSessionStateProvider/1.3.0)

If you still see the issue with this new version let us know.