Sporadically losing session state when redirecting from http to ht

[TS]

Hello:

I have an issue with an ecommerce website that is losing session for some
users. The session data is being lost when the user is redirected from http
to https.

What is really puzzling me here is that the issue only happens for a small
percentage of users. About 4 or 5 five users has experienced the problem. The
rest of the 250+ users didn’t have any problems placing orders using the
website. The users with the problem are not connected in any way; they all
are in different places with different systems.

I’ve tried logging in as the problem users and placing orders on their
behalf and everything has worked fine for me. Any advice here on what to do
to troubleshoot and what can be causing this issue is greatly appreciated.

The application is developed in ASP.Net 3.5 and is running in IIS 6.0

Thanks a lot,
TS

 

[Tom Dacon]

Hello:

I have an issue with an ecommerce website that is losing session for
some
users. The session data is being lost when the user is redirected from
http
to https.

What is really puzzling me here is that the issue only happens for a
small
percentage of users. About 4 or 5 five users has experienced the problem.
The
rest of the 250+ users didn't have any problems placing orders using the
website. The users with the problem are not connected in any way; they all
are in different places with different systems.

I've tried logging in as the problem users and placing orders on their
behalf and everything has worked fine for me. Any advice here on what to
do
to troubleshoot and what can be causing this issue is greatly appreciated.

The application is developed in ASP.Net 3.5 and is running in IIS 6.0

Thanks a lot,
TS

We had that problem ourselves with our own applications, and solved it by
going to a third-party solution for session store: Alachisoft's NCache
product. It's not cheap, but it solved the http/https problem completely.

Tom Dacon

 

[TS]

Hello Tom:

Thank you for your response. Before using Alachisoft’s NCache did you try
using State server or SQL server session state modes or you just tried InProc
and went directly this third party product? I am using InProc right now and
haven’t tried any other mode.

Also, any thoughts or why this is happening in the first place? It
shouldn’t even with InProc.

Thanks,
TS

 

[Tom Dacon]

Hello Tom:

Thank you for your response. Before using Alachisoft's NCache did you try
using State server or SQL server session state modes or you just tried
InProc
and went directly this third party product? I am using InProc right now
and
haven't tried any other mode.

Also, any thoughts or why this is happening in the first place? It
shouldn't even with InProc.

Well, we were trying to avoid single points of failure, so that ruled out
the state server. We frankly didn't pursue SQL Server because our SQL Server
situation is pretty loaded up and we couldn't afford to put any more SQL
Servers online. You can set up NCache as a session store server in a variety
of ways. The way we chose was to have it running on each of the LB app
servers, sharing state among themselves in a peer configuration. That way if
one of the load-balanced app servers happens to go down, the two remaining
servers (in our configuration) continue to share what is then a two-way peer
configuration for session store. You can also set it up with the session
state servers running in their own load-balanced cluster if you're ambitious
and have servers coming out of your ears. But either way, we avoided a
single point of failure for session store.

The thing with NCache, session store information is held exclusively in
memory and doesn't spill over to any persistent medium, so you have to be
careful about how much state information you're keeping in the Session
object. Fortunately for us this is no problem, which it otherwise would be
because it's running right on the app servers themselves.

I'm sorry I can't shed any real light on why the problem is actually
happening, since I'm far from an expert on IIS.

The Alachisoft folks have some white papers on their site that you might be
interested in: www.alachisoft.com

HTH,
Tom

 

[TS]

Thank you so much Tom, I appreciate you taking the time to respond and
providing such a detailed answer.
While I see that your approach might solve my problem based on your own
results, I am hesitant to pay for a third party solution and even to move
from session state mode InProc to State Server or SQL Server. I would like to
see what’s really going on here, where is the failure happening and why this
is only an issue for less than 1% of my users. I am out of ideas about why
this is happening and would like to hear opinions on what could be root cause
of this issue.

 

[Tom Dacon]

Thank you so much Tom, I appreciate you taking the time to respond and
providing such a detailed answer.
While I see that your approach might solve my problem based on your own
results, I am hesitant to pay for a third party solution and even to move
from session state mode InProc to State Server or SQL Server. I would like
to
see what's really going on here, where is the failure happening and why
this
is only an issue for less than 1% of my users. I am out of ideas about why
this is happening and would like to hear opinions on what could be root
cause
of this issue.

I know what you mean - this is an expensive solution for a problem that
shouldn't be a problem. If you make any progress on finding out the root
cause of the problem, please post to the newsgroup. We've got plenty of
other uses for the money we're spending on this solution.

For what it's worth, we have an unconfirmed opinion that the problem is that
the stickiness of the session just gets lost in the shift between http and
https, and if the user happens to come back on a different server in the lb
cluster his Session object is nowhere to be found on that machine. A factor
could be the particular lb strategy you're using and the busy-ness of the
server cluster.If this supposition is correct, perhaps 99% of your users
conveniently land on the same server after the switch, and just a few land
elsewhere. But all that of course just describes the symptoms, rather than
addressing the underlying cause.

Thanks and good luck,
Tom Dacon

 

[James]

Hello:

I have an issue with an ecommerce website that is losing session for
some
users. The session data is being lost when the user is redirected from
http
to https.

What is really puzzling me here is that the issue only happens for a
small
percentage of users. About 4 or 5 five users has experienced the problem.
The
rest of the 250+ users didn’t have any problems placing orders using the
website. The users with the problem are not connected in any way; they all
are in different places with different systems.

I’ve tried logging in as the problem users and placing orders on their
behalf and everything has worked fine for me. Any advice here on what to
do
to troubleshoot and what can be causing this issue is greatly appreciated.

The application is developed in ASP.Net 3.5 and is running in IIS 6.0

Thanks a lot,
TS

Why not force the application to run totally in https mode? You can do this
in Application_Start() event.