Scott Hanselman

Troubleshooting Expired ASP.NET Session State and Your Options

January 30, '08 Comments [23] Posted in ASP.NET | Bugs
Sponsored By

I have a love/hate relationship with the ASP.NET Session. It's such a convenient place to put things, but when you start putting applications into production there are a number of less-than-obvious edge cases that can come up and bite you.

Most often the Session is used when managing state over a long process like a multi-step wizard or questionnaire. However, when people use the Session, they often lean on it a little. They'll bake it into their design so deep that when it doesn't work, they're screwed. That's not to say they shouldn't be able to lean on it, I'm just saying that there's a lot of things going on with Session (not just on ASP.NET, but other frameworks as well) in order to get it to look seamless.

Built in Options

ASP.NET offers three options (four if you count rolling your own).

  • Inproc - The default, and usually works fine. However, you can get into trouble in a few scenarios.
    • Web Farms - If you have more than one web server, it's important to remember that your users may not "stick" to the same webserver with each request. Some routers offer Sticky-Sessions or the ability to "pin" a user to a server. This works well if the router uses cookies as its key, but it's less reliable if the router uses IP address/source port as the key as these may change, especially if the user is behind a mega-proxy.
    • Web Gardening - If you've setup IIS to run multiple instances of the IIS Worker Process on a single multi-proc machine, this is the equivalent of running a Web Farm, just on one machine. This technique is usually only useful when you've got a very CPU-intensive application - in other words, don't just turn on Web Gardening and expect your problems to get better instantly. It's subtle.
    • Unexpected Process Recycling - IIS6 had some wonky defaults and would recycle the AppPool or Process when some certain limits were hit, like after x number of requests or after 20 minutes. This is the classic "flaky session state is expiring" issue that lots of folks hit. You'll be more likely to see this if you've got really long running processes where users are logged in for long periods of time.
  • Out of proc - A good next step, this moves session out to a Windows Service. You can run one per Web Farm (meaning, you've got multiple machines but one instance of this service) and your session data will survive process recycles, but not system reboots. This is useful for both Web-Gardening and Web-Farming.
    • Folks usually forget to mark their objects as [Serializable] which basically gives your objects "permission" to leave their process space and be stored in memory in the State Service. If you've got a high-traffic site you might want to avoid storing complex objects and object graphs as you'll pay for it on the serialization. Of course, with all things, measure everything! You'll get best performance if you stick with basic types like strings, ints, etc.
    • UPDATE: I wanted to update this post and point folks to Maarten Balliauw's most excellent series on Out of Proc Session State (StateServer). He covers the basic setup, which is unremarkable, but then digs into the advanced stuff including "partitionResolvers" which I am ashamed to say I hadn't heard of! Recommend.
  • SQL Server - The most robust, but now you'll pay for not only serialization, but storage. However, SQL Server is a highly tuned system and if you've got a site with any significant traffic I really recommend just skipping out-of-proc and putting your session state into a SQL Server with a lot of memory. Rather than trusting ASP.NET out of proc Session State Server to be a small database, leave the database work to the databases.
    • The benefits of SQL Server for your Session State include surviving process recycles and reboots.  but more importantly using removes a lot of variables from your troubleshooting in the sense that you no longer worry about the storage of your Session, now you just need to worry if your Session Cookies are getting passed back and forth from browser to server.
    • Make sure you're using Windows Integrated Security and that you decide if you want ASP.NET to store Session in tempdb (which won't survive a SQL recycle) or a dedicated database (my recommendation).


There's a number of things that can go wrong, some of which I mention above, but here's what I usually run through when troubleshooting things.

  • Is the ASP.NET SessionID Cookie actually moving back and forth between browser and server. This can be confirmed by:
    • Using an HTTP Sniffer like ieHttpHeaders or HttpWatch or Fiddler and confirming that the Session ID cookie's value isn't changing between requests.
    • Confirming that the cookie isn't being blocked by IE, privacy settings, lack of a P3P policy document, local firewall like ZoneAlarm or Symantec, or a corporate proxy with an attitude problem.
  • Is IIS recycling  the AppPool or Worker Process? Confirm the settings in IIS manager and make sure they are right for what you're doing.
  • Is the session timing out? Are you sure you're hitting the same VDir from whence you came and successfully resetting the sliding expiration on the Session ID?
  • Is some other thing like an Ajax call or IE's Content Advisor simultaneously hitting the default page or login page and causing a race condition that calls Session.Abandon? (It's happened before!)

At my last company Session became such a hassle for large high traffic applications that we just stopped using in-proc and started exploring alternatives.

Some 3rd Party Session State Options

  • NCache from Alachisoft - An in-memory object cache that's distributed across your web farm. Think of it like Out of Process Session State, but distributed/clustered in their Enterprise Edition.
  • ScaleOut Software SessionServer - Fast, scalable in-memory storage that is distributed across machines. Full Disclosure: we worked with these guys while I was at Corillian, but never put them into production.
  • Memcached Session State Provider - Fahad has created ASP.NET Session State providers that will talk to memcached, a very popular distributed memory caching system originally created for and now used all over.

Related Links you might enjoy

How do you manage state at your company?

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Review: Pleo gets sent back to the Dinosaur Pound

January 29, '08 Comments [25] Posted in Reviews
Sponsored By

imageUPDATE: In record time, Sarah from Ugobe included feedback in the comments below. Just be clear, I was reticent to do a review at all, because I know how much work goes into things like this, especially for a small startup that pours their hearts into a product like this. It just turns out that it wasn't for me, and I had high, perhaps unreasonable expectations that weren't met. That said, please do read Sarah from Ugobe's thoughts in the comments below.

I've always wanted a little robot, maybe a dog or something that would wander around the house and be charming, but wouldn't require, ahem, care and feeding. I have enough trouble keeping myself and my family fed, the last thing I need is an actual animal to keep alive. I'm not a dog or cat person, sue me. ;)

Anyway, the Sony Aibo was a good idea, but it was (and is) too expensive (unless you, Dear Reader, want to loan/sell me your Aibo?) for my tastes.

This Christmas I got myself the family a Pleo baby dinosaur using blog money, although the WAF on this one was at a new low. Seriously. But, I persevered.

Again, as with the iPhone, the Wife was correct.


What a profoundly disappointing toy. To be clear, it is a toy and an expensive one at that. Fortunately The Sharper Image has a good return policy.

The Bad

  • It's slow. It doesn't wander around the house. If you leave it alone for more than 10 minutes it "falls asleep." Basically you need to actively touch it for it to stay awake.
  • Horrendous battery life. It has a pack of what looks like 4 AA batteries lashed together that fits inside it's stomach. However, you get only one pack, you have to remove it to charge and you're lucky to get an hour out of it. Any idea that this thing would wander around the house for a half-day are dashed at this point.
  • It's noisy. I don't mean it's noisy with cute dinosaur noises, I mean it's noisy with gear gnashing sounds. This destroys any sense of realism, for me. The wife commented also.
  • It's less-than-clever and slow in the head. You have to poke at it for 10-15 seconds, it seems, before it reacts with tricks and such
  • Within a few minutes (maybe 10) of petting it, the paint started to flake off. The website says this "makes your Pleo personal" but I think it just shows that painted rubber is a sub-optimal fake skin.
  • Still no word on when a Developer SDK is coming out. Perhaps expectations of a company are high given blogs and what not, but when a company has no visible blog and is slow with the updates (cough: Mozy) then folks quickly lose confidence, IMHO.

The Good

  • It's got an SD slot and tiny USB, so upgrades are supposed to be easy, unfortunately according to their site even now as we approach the February after Christmas there is still no upgrade to their OS. Why should I care? Because apparently the current Pleo LifeOS has a bug where the Pleo doesn't adapt or grow correctly.
  • It's fairly sturdy and nice to look at if it's not moving. So, as a piece of sculpture, sure. As soon as it moves, the illusion is over.

Perhaps I would have enjoyed it more if it were faster, quieter, more interesting, but even my 2 year old grew tired and frustrated with it as it didn't "engage" or seem to notice he was there as he tried to feed it the plastic leaf it comes with. As soon as it failed to connect with him, that was the end of Pleo. Maybe I'm being too harsh, but I had high hopes and was very bummed by this whole thing and won't make this mistake again.

If you can borrow or rent or observe one first, I'd really recommend caution with this robot.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Hanselminutes Podcast 98 - Raising Geeks with Scott's Dad

January 25, '08 Comments [28] Posted in Microsoft | Musings | Podcast
Sponsored By

P0005265_thumbMy ninety-eighth podcast is up. In this episode, Scott sits down with his Dad and talks about growing up as a geek, raising geeks, and the sacrifices families make to help their geek children succeed.

(BTW: Grandma is cool and Grandpa was also!)

Subscribe: Subscribe to Hanselminutes Subscribe to my Podcast in iTunes

If you have trouble downloading, or your download is slow, do try the torrent with µtorrent or another BitTorrent Downloader.

Do also remember the complete archives are always up and they have PDF Transcripts, a little known feature that show up a few weeks after each show.

Telerik is our sponsor for this show.

Check out their UI Suite of controls for ASP.NET. It's very hardcore stuff. One of the things I appreciate about Telerik is their commitment to completeness. For example, they have a page about their Right-to-Left support while some vendors have zero support, or don't bother testing. They also are committed to XHTML compliance and publish their roadmap. It's nice when your controls vendor is very transparent.

As I've said before this show comes to you with the audio expertise and stewardship of Carl Franklin. The name comes from Travis Illig, but the goal of the show is simple. Avoid wasting the listener's time. (and make the commute less boring)

Enjoy. Who knows what'll happen in the next show?

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

ASP.NET MVC - WebForms Unplugged

January 25, '08 Comments [38] Posted in ASP.NET | Microsoft | Musings
Sponsored By

Acoustic Guitar As a new Microsoft employee, I like the new-found pragmatism at the Microsoft Developer Devision, typified by projects like the ASP.NET 3.5 Extensions and MVC. Certainly we all know MVC as a concept is nothing new, but it is new as a philosophy for the ASP.NET team (IMHO).

Remember that ASP.NET WebForms render using a Control Hierarchy which is fundamental to the whole gestalt of what we think of as ASP.NET. You put an <asp:label> inside an ASPX page and as soon as you mark it 'runat="server"' you've added it to the Control Hierarchy. Any string literals around your control also become part of that hierarchy of objects. The PreRender event is an opportunity for you to affect that tree of controls before the Render event fires and they turn into Angle Brackets (usually HTML). ASP.NET represented a swinging of the needle, as it were, from the Classic ASP way of doing things to an artificial event model that gave us state where there was no state. It added layers and production value and it sounded good, and still sounds good to lots of people.

However, this leaves a gap in the music. Sometimes I just want to control the stream myself. I want the system to step aside and let me get down to it. Not all the way aside, but certainly out of my general field of view. MVC Frameworks with View engines like ASP.NET MVC and Monorail's many template options and the Django template language and HAML...

(Note to self, write HAML view factory for ASP.NET MVC. UPDATE: Crap! The brilliant Andrew Peters made NHAML this last month and added it to MVC Contrib. New Note to self, crush Andrew Peters for being too awesome.)

…provide a fresh clean new sound to the same old angle-bracket-based music of the past. Clean, simple, lightweight.

Is it MVC that makes this possible? Partially, but we mustn't forget the huge influence of sites like and the minimalist markup aesthetic promoted by CSS folks and standards wonks changed the way we think about markup and what can be accomplished with a few H1s and a UL/LI or three.

In a recent MVC design meeting someone said something like "we'll need a Repeater control" and a powerful and very technical boss-type said:

"We've got a repeater control, it's called a foreach loop."

Zing! That's so cool. Get out of my way and let me make some angle-brackets. Again, not for everyone, but for enough people that matters. Open Source projects like MVCContrib and hopefully a bunch of 3rd party component vendor types will drink in that simplicity and the power of statements like that and create helper methods and controls that we want, need and can use, and not just <mvc:TooBigDataGrid/>.

This is a not just a different tune, but a whole different band playing all new music. Not everyone will like the music, and that's why the world has more than one band. This is a Good Thing.

I like to think of ASP.NET MVC as the raw, acoustic version of the more heavily produced and multi-layered ASP.NET WebForms we use today.

I hope the pure intent and zen-like simplicity of a nice clean MVC design stays that way. Sometimes I want to listen to Kanye West, but sometimes I want to listen to John Legend. Or, insert your own musical analogy here. Either way, it's ASP.NET Unplugged as far as I'm concerned.

Related Posts

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Best Mobile Websites for Tiny Browsers

January 24, '08 Comments [25] Posted in Microsoft | Musings | Tools
Sponsored By

htc-excalibur-s620-4 I'm getting ready to setup an HTC Excalibur and I wanted to post my list of favorite sites to visit with my Mobile Browser and a list of the apps I really need to install to make my Windows Mobile Smartphone complete.

  • Amazon Mobile - - A basic, but very usable site, focused on search, that lets folks who've setup their Amazon account ahead of time purchase directly from the phone. Nice if you have Amazon Prime Free Shipping.
  • BBC PDA - or - BBC has a mobile site and a PDA site, but the PDA site looks best on Smartphones or Blackberries. The best of the BBC on my phone. The mobile site would look good on an old black-and-white WAP Nokia.
  • CNN Mobile - - Same here, mobile CNN, some pics, I use this site a lot.
  • Engadget Mobile - - My favorite tech and gadget blog, now with mobiley goodness. I wish I could see comments though.
  • - - Ha! See what I did right there? Back in the day, we taught dasBlog about mobile devices and if you hit from a Blackberry or Windows Mobile browser (and a number of other tiny browsers), we'll detect it and give you a mobile experience. Yay!
  • Facebook - - In terms of pure functionality, I'd say that Facebook's mobile site is, hands-down, the most functional. It feels like you can most everything you'd ever want to using only Tiny HTML. This site and this company continue to impress, probably because it's running entirely on Red Bull and 20-year-olds.
  • Flight Stats - - This fine site has saved my tuckus a number of times while traveling. Their Airport Chatter section is interesting also.
  • Google - - The Tiny XHTML version of Google includes location specific searches and personalization with News, Weather, Movies, etc.
    • +1-800-GOOG-411 (+1-800-4664-411) - If you're able to call this number, either domestically or internationally, it's worth a try because it's amazing. Much better than the "1-800-Tell-Me stuff back in the day, but still of the same vein. I use this a LOT.
  • Microsoft Live - or - If you hit wls you'll get your browser detected and possible prompted to download a nice applet for your phone. If you hit you'll get tiny Windows Live Search.
  • Gmail - - If you hit gmail with your phone you should get detected and sent over to the mobile version. If not, you can hit or where the x is magic. If you're running Google Apps for Your Domain (GAFYD) you can hack that URL also.
  • Joystiq - - Tiny Gaming Site. Interestingly, while they use (I think) the same back end as Engadget, sometimes the fonts are all wonky.
  • Mobile MSN - - A decent mobile portal and good jumping off point. The mobile stocks are particularly good.
  • MSNBC - - It's astonishingly LAME that you can't get to this site from but perhaps they'll read this and make that DNS change, because this is a really good tiny news site.
  • - - I use to manage my security systems at the house and our rentals from my phone. If you've got a service available over the web, you really ought to have a minimal mobile website so kudos to them for having one.
  • Twitter - - Does exactly what it says it twitter, although I'd like to be able to see Direct Replies in the interface.
  • Wapedia (Mobile Wikipedia) - - Very useful for winning arguments with the wife self-edification, it's the mobile Wikipedia.

I think it's funny that folks thought that the ".mobi" top level domain extension was a good idea and that the internet just changed "" to "" and saved the registration fee. Plus, I don't have to tap out the "obi" which saves me, like minutes.

What are your must-have mobile websites, Dear Reader?

Related Posts:

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.