What does it mean if my Asp.Net session has IsNewSession == true, and should I care?

Question

To start with, this is code that I inherited and the person who wrote it is no longer here nor available to question.

I have users in production getting annoyed at randomly being logged out of our Asp.Net MVC application (According to references our MVC libraries are version 5). After flailing about in the code and website for a while I think I have isolated what users are seeing to the following bit of code:

public class SessionExpireFilterAttribute : ActionFilterAttribute
{

    public override void OnActionExecuting(ActionExecutingContext filterContext)
    {
        HttpContext ctx = HttpContext.Current;

        // check if session is supported
        if (ctx.Session != null)
        {

            // check if a new session id was generated
            if (ctx.Session.IsNewSession)
            {

                // If it says it is a new session, but an existing cookie exists, then it must
                // have timed out
                string sessionCookie = ctx.Request.Headers["Cookie"];
                if ((null != sessionCookie) && (sessionCookie.IndexOf("ASP.NET_SessionId") >= 0))
                {
                    SessionVariables.Current.User = null;
                    FormsAuthentication.SignOut();

                    filterContext.Result = new RedirectResult("~/Account/Logon");

                    return;
                }
            }
        }

        base.OnActionExecuting(filterContext);
    }
}

I'm not totally sure why this code is needed (why would you attribute this instead of making it global) but I have seen variations of this code around the internet in my searches but not with description of why you'd want it.

Regardless, it is already in our code base and the issues that we are having seems to be that if the user is idle in a window for a small period of time and then they do something, ctx.Session is not null but ctx.Session.IsNewSession is true.

This implies to me that for some reason Asp.net decided this user needed a brand new session started up for them, and since we have no idea who this user is (since all their session data is gone since ... it's a new session) we need to log them out and make them log in again.

This all seems logical except I just finally was able to hit a breakpoint inside the IsNewSession if statement. What's odd to me is that my Session actually looks 100% filled out (and filled out correctly). This means it correctly knows who I am, and all other information that only gets put into the session when you successfully log in.

Furthermore, ctx.User.Identity.IsAuthenticated is true, and it has the correct login name.

Everything seems to point that I have a valid session, but since this code is making the design decision that if Asp.Net creates a new session I must be logged out, the user is getting logged out.

So my question is:

1. What does Session.IsNewSession mean in practical terms?
2. Is it correct to always log the user out when IsNewSession is true?
3. Are there any ramifications for not logging the user out as long as they are listed as authenticated and has valid session data?
4. What causes Asp.Net to create a new session and yet still re-use previous session data?
5. My understanding with session expiration was it was caused by the provider layer, in that Asp.Net wouldn't even have any session data if the session has expired. Is that not the case?

As a quick side note, we are currently using Redis as our session store. Also, if relevant the application is being hosted on Azure websites (and I'm not sure how that affects session expiration).

Answer 1

ASP.NET creates a new Session any time a browser without a current session navigates to the site. So even if someone isn't logged in, they'll still have a Session. Likewise, if one session expires, a new session will be created the next time the browser makes a request. This new session won't have "session data" stored in it, but ctx.Session will not be null. Also, if you have multiple servers and the load balancer happens to route the user to a different server, then that new server will try to start a new session.

Session state is tracked separately from Authentication state, meaning that one can expire while the other is still valid. For well-written applications, this typically won't cause any problems. However, some applications pre-load information into the session upon login, and treat the session as a kind of cache for this information for the length of the session. Or, they will set values on the session when the user performs certain actions, and later actions will expect those values to be on the session, because the user should have navigated through those earlier actions to get there. (e.g. a Wizard interface, where each step saves values to the session, to be used when the user clicks "Finish" on the final step.)

It's possible that your application at some point was expecting data to be on the session which wasn't there, and the developers realized it wasn't there because ASP.NET had automatically renewed the session, losing all the previously-set session data. Rather than redesigning their use of session data, they chose to make it so that any time they lose the session they'll also force the user to go back to a sane starting position, where pages won't break in weird ways just because session-stored data was lost.