I have an ASP.NET application which appears to start a new session when in the middle of another session.
Using Forms authentication.
authentication timeout = 120. sessionState timeout = 130.
sessionState mode = InProc.
cookieless = false (which should be the same as UseCookies).
Only happens when accessing a specific page after visiting a dozen or so other pages. However, if I access other pages before I access the otherwise failing page, the error does not occur.
Not due to application pool recycling. I am continually running the same w3wp processes for hours. Health monitoring logging shows nothing.
When using the network function in F12 Developer Tools all of the cookie values survive the transition from one session to the next but at the point of failure the cookies view shows "Received: ASP.NET_SessionId" whereas all other values in the same request show up as "Sent".
Everything happens within the same domain (in this case localhost).
Objects are stored in the Session object almost immediately after the user logs in so this is not one of those cases where ASP.NET_SessionId changes for each request due to an unused Session object.
IIS 7.5 on Windows 7 x64 development system. Fully up-to-date with all Windows updates.
I have added debug statements to all of the global events in Global.asax and there is no indication that any of my code is causing the session id to be lost in the middle of a request. I simply get a new Session_Start event when the specific function is invoked, even though dozens of request have successfully been processed up to that point.
Sample User-Agent string (Chrome): "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.104 Safari/537.36"
Sample User-Agent string (Internet Explorer): "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
The problem can consistently be reproduced using Internet Explorer 9, 10, and 11. I have not tried older versions of Internet Explorer.
The problem cannot be reproduced using the latest versions of Firefox or Chrome.
Is there a list of things I can check in order to figure out why ASP.NET thinks it needs to start a new session and assign a new ASP.NET_SessionId value when running Internet Explorer but no other browser types?
I am afraid I cannot be more specific than this but I hope the information above at least will eliminate some of the usual suspects from the conversation.
The problem turned out to be the 50-cookie limit in Internet Explorer.
This is described in Number and size limits of a cookie in Internet Explorer
and Internet Explorer increases the per-domain cookie limit from 20 to 50.
The excessive use of cookies resulted in several cookies being added for each visit to a new function which is why it required a fair amount of testing to get to the point where the session id got pushed out by the arrival of new keys in the cookie collection.
Chrome has a limit of 180 cookies whereas Firefox has a limit of 150 which explains why the application would continue working for much longer than was the case with Internet Explorer.
The limits for a given browser can be tested using the Browser Cookie Limits page.
I found that link in the accepted answer to What are the current cookie limits in modern browsers?