Share Session between two web sites using asp.net and state server

by

I’m aware that this question was answered 5 years ago, yet today I think I can put some more information into it.

First, this is not the official way to share session data between 2 IIS applications, or the most popular way. The “seemingly official” way is to use SQL Server session.

In case you can’t use SQL server for any reason, then we can tweak the IIS applications a bit so that we can use Out-of-process session, aka StateServer session state mode.

To make it works, there are quite a few things to make right:

  1. Session cookie of 2 application must be set at same domain name. E.g.
<httpCookies domain=".your.site"/>
  1. Machine key must be matched. You can do standard Web.config field encryption to make it more secure, but that’s optional.
<machineKey validationKey="[your_key]" 
    decryptionKey="[your_decryption_key]" validation="SHA1" />
  1. Session state mode set to state server

Putting (1), (2), (3) together:

<system.web>
    <httpCookies domain=".your.site"/>
    <machineKey validationKey="your_key" decryptionKey="your_decryption_key" validation="SHA1" />
    <sessionState mode="StateServer" timeout="60" />
    ...

  1. Application name must be matched. If not, only the session ID could be shared, but not session data. The problem is that you cannot configure your application name inside Web.config. Yet we can create our own configuration then inject it by reflection. Just put the following code in Global.asax.cs:

    public override void Init()
{
    base.Init();
    try
    {
        // Get the app name from config file...
        string appName = ConfigurationManager.AppSettings["ApplicationName"];
        if (!string.IsNullOrEmpty(appName))
        {
            foreach (string moduleName in this.Modules)
            {
                IHttpModule module = this.Modules[moduleName];
                SessionStateModule ssm = module as SessionStateModule;
                if (ssm != null)
                {
                    FieldInfo storeInfo = typeof(SessionStateModule).GetField("_store", BindingFlags.Instance | BindingFlags.NonPublic);
                    SessionStateStoreProviderBase store = (SessionStateStoreProviderBase)storeInfo.GetValue(ssm);
                    if (store == null) //In IIS7 Integrated mode, module.Init() is called later
                    {
                        FieldInfo runtimeInfo = typeof(HttpRuntime).GetField("_theRuntime", BindingFlags.Static | BindingFlags.NonPublic);
                        HttpRuntime theRuntime = (HttpRuntime)runtimeInfo.GetValue(null);
                        FieldInfo appNameInfo = typeof(HttpRuntime).GetField("_appDomainAppId", BindingFlags.Instance | BindingFlags.NonPublic);
                        appNameInfo.SetValue(theRuntime, appName);
                    }
                    else
                    {
                        Type storeType = store.GetType();
                        if (storeType.Name.Equals("OutOfProcSessionStateStore"))
                        {
                            FieldInfo uribaseInfo = storeType.GetField("s_uribase", BindingFlags.Static | BindingFlags.NonPublic);
                            uribaseInfo.SetValue(storeType, appName);
                        }
                    }
                }
            }
        }

    }
    catch (Exception ex)
    {
        log.Error(ex.Message, ex);
    }
}

    Credits go to pfemiani, Li Chen, and someone I can’t remember who putting it together in a code project’s comment. Please note that pfemiani’s answer does not work for me, yet combining it with Li Chen’s post does.

  2. Make sure ASP .NET state service is running. It is where session data would be saved now.

More Related Contents:

  1. Cannot open database “test” requested by the login. The login failed. Login failed for user ‘xyz\ASPNET’
  2. How to force HTTPS using a web.config file
  3. An ASP.NET setting has been detected that does not apply in Integrated managed pipeline mode
  4. The breakpoint will not currently be hit. No symbols have been loaded for this document in a Silverlight application
  5. Using static variables instead of Application state in ASP.NET
  6. Why is HttpContext.Current null?
  7. Changing project port number in Visual Studio 2013
  8. How to implement “Access-Control-Allow-Origin” header in asp.net
  9. Can you prevent your ASP.NET application from shutting down?
  10. Check ssl protocol, cipher & other properties in an asp.net mvc 4 application
  11. How can I secure passwords stored inside web.config?
  12. IIS app pool recycle + quartz scheduling
  13. I’ve been hacked. Evil aspx file uploaded called AspxSpy. They’re still trying. Help me trap them‼
  14. Leverage browser caching in IIS (google pagespeed issue)
  15. Handler “ExtensionlessUrlHandler-Integrated-4.0” has a bad module “ManagedPipelineHandler” in its module list
  16. Error 500.19 with 0x8007000d when running ASP.NET Core app in IIS despite AspNetCoreModule being installed
  17. Could not load file or assembly ‘System.Web.Helpers, error on IIS 8
  18. Can I reuse HttpWebRequest without disconnecting from the server?
  19. Reach control from another page. ASP.Net
  20. How to get current user timezone in c#
  21. Pass C# ASP.NET array to Javascript array
  22. When using Trusted_Connection=true and SQL Server authentication, will this affect performance?
  23. Displaying standard DataTables in MVC
  24. Entity Framework – retrieve ID before ‘SaveChanges’ inside a transaction
  25. How to create roles in ASP.NET Core and assign them to users?
  26. How do I see the raw HTTP request that the HttpWebRequest class sends?
  27. What is the best approach to handle session timeouts in asp.net
  28. Login page on different domain
  29. Populate TreeView from DataBase
  30. How to intercept any postback in a page? – ASP.NET

Leave a Comment