在具有 StateServer 的 2 个应用程序之间共享 ASP.NET SessionState 共享相同的 SessionID 但不共享键值,为什么?
我已经没有主意了。我试图在同一应用程序池下运行并使用 mode="StateServer" 的两个 .Net 4 应用程序之间使用相同的 SessionState。我对这两个应用程序进行了测试,得到了一个奇怪的结果:SessionID 是共享的,但实际的会话项不是共享的。
它的内部是如何运作的?这是某处记录的安全限制吗?
屏幕截图 1 - 我正在 app#1 /SecureSessionTest.aspx 中设置会话项(TestData 中的简单日期): 
屏幕截图 2 - 我正在阅读同一个会话项目TestData在 app#2 /Apps/SecureSessionTest.aspx 中,但只出现 SessionID: 
我什至可以在同一个 Session("key “)。诡异的!
他们的 web.config 中都有这个:
<machineKey validationKey='7D1094A0FC13B6656141916F69F6E25D0F112A6E94BD3EF5DAEFD9755A367C09607E7D76827AC5ACAD14456665C4E0966F632F09522475758A815A4045BF3F25' decryptionKey='F0DF9FA0522E541FF246ADD8BC285A10E984444AE4361631' validation='SHA1'/>
<sessionState mode="StateServer" stateConnectionString="tcpip=localhost:42424" timeout="60" regenerateExpiredSessionId="false" cookieName="XXXXXXXX_ASP.NET_SessionId" />
有什么想法吗?非常感谢帮助!
卡尔
I'm guetting out of ideas. I'm trying to use the same SessionState between two .Net 4 apps running under the same application pool and using mode="StateServer". I did a test on both app and I have a curious result: SessionID is shared, but not the actual session items.
How does it work internally? Is this a security restriction documented somewhere?
Screenshot 1 - I'm setting a session item (a simple date in TestData) in app#1 /SecureSessionTest.aspx:
Screenshot 2 - I'm reading the same session item TestData in app#2 /Apps/SecureSessionTest.aspx, but only the SessionID appears:
I can even set different data in the same Session("key"). Weird!
They both have this in their web.config:
<machineKey validationKey='7D1094A0FC13B6656141916F69F6E25D0F112A6E94BD3EF5DAEFD9755A367C09607E7D76827AC5ACAD14456665C4E0966F632F09522475758A815A4045BF3F25' decryptionKey='F0DF9FA0522E541FF246ADD8BC285A10E984444AE4361631' validation='SHA1'/>
<sessionState mode="StateServer" stateConnectionString="tcpip=localhost:42424" timeout="60" regenerateExpiredSessionId="false" cookieName="XXXXXXXX_ASP.NET_SessionId" />
Any ideas? Help is very appreciated!
Carl
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
StateServer 通过 SessionID cookie、机器密钥和应用程序名称的组合来锁定会话。
尝试让两个应用程序共享同一个应用程序池。
上一个问题可能很有启发:
会话状态和应用程序池
(如果我最初的建议不起作用,请发表评论,我会将深入挖掘)
The StateServer keys the session off of a combination of the SessionID cookie, the machine key, AND the application name.
Try having the two applications share the same application pool.
This previous question may be illuminating:
Session State and Application Pool
(If my initial suggestion doesn't work please comment and I'll dig deeper)
@Ash 是对的,会话基于 sessionID(这取决于机器密钥以及网站域)和应用程序名称,但我确实让它在跨应用程序目录的单个站点上工作(听起来像你的方案) - 请参阅我对 状态服务器会话的回答-跨appDomain?
听起来您缺少的部分是在global.asax中显式设置应用程序名称(使用反射-我还没有找到这方面的配置设置)。我在谷歌搜索整个早上的设置后才发现这一点。
@Ash is right, the session is based off the sessionID (which is dependent on the machine key as well as the website domain), and application name, but I did get it to work on a single site across application directories (sounds like your scenario) - see my answer on state server session - cross appDomain?
It sounds like the piece you're missing is the explicitly setting the application name in the global.asax (using reflection - I haven't found a configuration setting for this). I just found out about that after googling for the setup all morning.