RE: asmx httphandler not properly protecting sessions?
- From: Nick <SaintNick@xxxxxxxxxxxxx>
- Date: Fri, 7 Sep 2007 01:30:04 -0700
Hi Steven,
thanks for replying.
We have a asp.net ajax-like web application from which aspx request are done
and which also hosts the webservice.htc component which posts webservice
calls to the same web application. All from the same browser instance thereby
sharing the same session (through the asp.net session cookie).
Should you wish to see the application then please feel free to take a trial
subscription at http://trial.reeleezee.nl/ You might need someone who speaks
Dutch with you, but even without you will be able to appreciate the workings.
So basically we can reproduce the following situation:
1. User is waiting on a long-running aspx, for example generation of a pdf
report
2. user does not wait for completion of the report but causes a webmethod
call to be http-POSTed (using webservice.htc) to the same asp.net server
which is still running the aspx request.
Result is both the asmx and the aspx have read/write access to the same
session data.
Regards, Nick
"Steven Cheng[MSFT]" wrote:
Hi Nick,.
From your description, you're using ASP.NET webservice with session state
enabled. However, you're wondering how the concurrent session state
accessing will be serialized between webservice call and web page(aspx)
requests, correct?
As for this question, I'd like to confirm the following things with you:
** How did you both request the asmx and aspx page? Normally, webserivce
request are send through webservice client proxy and aspx pages are
requested through webbrowser. Are you also using WebRequest component to
request aspx page programmtically?
** For session state, how did you make the aspx page and webservice share
the same session? If you're using webbrowser, browser will automatially
help maintain the session. While if you use webservice proxy or WebRequest
to access asmx service or aspx page, you'll need to manually use the
CookieContainer to main the session.
Please feel free to let me know your detailed case or if there is anything
I've missed.
Sincerely,
Steven Cheng
Microsoft MSDN Online Support Lead
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
From: =?Utf-8?B?Tmljaw==?= <SaintNick@xxxxxxxxxxxxx>
Subject: asmx httphandler not properly protecting sessions?
Date: Thu, 6 Sep 2007 06:34:01 -0700
Hello,
MSDN documentation at
http://msdn2.microsoft.com/en-us/library/ms998562.aspx#scalenetchapt10_topic
16 states:
<quote>
[WebMethod(EnableSession=true)]
YourWebMethod() { ... }
Since you can enable session state at the Web method level, apply this
attribute only to those Web methods that need it.
Note Enabling session state pins each session to one thread (to protect
session data). Concurrent calls from the same session are serialized once
they reach the server, so they have to wait for each other, regardless of
the
number of CPUs.
</quote>
This may be true amongst concurrent asmx webservice calls within the same
session, and also amongst aspx page requests within the same session. But
it
is definately not true between the two types. I.e. while a webmethod is
running on session xyz I can fire an aspx page request at the same session
and it is not serialized/queued. So both the asmx and the aspx have
read/write access to the session object.
Is this by design and must we solve this programmatically? Or is this an
oversight in the framework?
Kind regards,
Nick
- Follow-Ups:
- Re: asmx httphandler not properly protecting sessions?
- From: John Saunders [MVP]
- Re: asmx httphandler not properly protecting sessions?
- References:
- RE: asmx httphandler not properly protecting sessions?
- From: Steven Cheng[MSFT]
- RE: asmx httphandler not properly protecting sessions?
- Prev by Date: RE: asmx httphandler not properly protecting sessions?
- Next by Date: Re: asmx httphandler not properly protecting sessions?
- Previous by thread: RE: asmx httphandler not properly protecting sessions?
- Next by thread: Re: asmx httphandler not properly protecting sessions?
- Index(es):
Relevant Pages
|
