Any calls to ILogger.Log should specify a non-zero event id that is unique within the current logging category.

Normally when I'm making sites in other frameworks, I enjoy the fact that they will default to creating a session & cookie for every client.

It would appear as though in this library, the cookie is only set when some state is assigned to it.

Would be nice to have something like alwaysCreate or some better option name to SessionOptions.

Isn't there a possible race condition in session middleware?

Example if I would send two simultaneous ajax requests both modifying session first would set key called "key1" and second would set key called "key2".
Because there are no locks there is big possibility that only one of the keys would be set. If both would load the session and then last request to call CommitAsync would overwrite other request's modified session state.

This was handled by previous Asp.Net by only allowing one request with writable session for one session id at a time.
That solution wasn't very good performance.

Better solution would be have some sort of session update scope that would lock then load current session state for you to modify and after scope ends it would commit changes and unlock.

If that is too big of a change you should atleast fix current implementation so that setting single key only overwrites that key and not the whole session state.

@davidfowl @Eilon I think we should use the newly 'dnvm -arch x86' switch instead of the old one

After Installing the package on a new project, I get the following errors

here is my project.json file

{
  "webroot": "wwwroot",
  "userSecretsId": "xxx",
  "version": "1.0.0-*",

  "dependencies": {
    "EntityFramework.Commands": "7.0.0-beta8",
    "EntityFramework.SqlServer": "7.0.0-beta8",
    "Microsoft.AspNet.Authentication.Cookies": "1.0.0-beta8",
    "Microsoft.AspNet.Authentication.Facebook": "1.0.0-beta8",
    "Microsoft.AspNet.Authentication.Google": "1.0.0-beta8",
    "Microsoft.AspNet.Authentication.MicrosoftAccount": "1.0.0-beta8",
    "Microsoft.AspNet.Authentication.Twitter": "1.0.0-beta8",
    "Microsoft.AspNet.Diagnostics": "1.0.0-beta8",
    "Microsoft.AspNet.Diagnostics.Entity": "7.0.0-beta8",
    "Microsoft.AspNet.Identity.EntityFramework": "3.0.0-beta8",
    "Microsoft.AspNet.IISPlatformHandler": "1.0.0-beta8",
    "Microsoft.AspNet.Mvc": "6.0.0-beta8",
    "Microsoft.AspNet.Mvc.TagHelpers": "6.0.0-beta8",
    "Microsoft.AspNet.Server.Kestrel": "1.0.0-beta8",
    "Microsoft.AspNet.Session": "1.0.0-rc1-final",
    "Microsoft.AspNet.StaticFiles": "1.0.0-beta8",
    "Microsoft.AspNet.Tooling.Razor": "1.0.0-beta8",
    "Microsoft.Framework.Configuration.Abstractions": "1.0.0-beta8",
    "Microsoft.Framework.Configuration.Json": "1.0.0-beta8",
    "Microsoft.Framework.Configuration.UserSecrets": "1.0.0-beta8",
    "Microsoft.Framework.Logging": "1.0.0-beta8",
    "Microsoft.Framework.Logging.Console": "1.0.0-beta8",
    "Microsoft.Framework.Logging.Debug": "1.0.0-beta8",
    "Microsoft.VisualStudio.Web.BrowserLink.Loader": "14.0.0-beta8"
  },

  "commands": {
    "web": "Microsoft.AspNet.Server.Kestrel",
    "ef": "EntityFramework.Commands"
  },

  "frameworks": {
    "dnx451": {}
  },

}

I have wrote blog on sessions which is here: https://neelbhatt40.wordpress.com/2015/09/07/implement-sessions-in-asp-net-5vnext-and-mvc-6/

In this one person asked like Is it possible to use in-memory caching for general use at the same time as SQL server backed sessions?

I was not sure on this so i am asking it here!

dotnet/corefx@ce0506b

/cc @Tratcher

The session cookie values are opaque GUIDs used to look up entries in the IDistributedCache. However, we don't have any verification saying we actually issued said cookie. Use IDataProtection to sign and validate the value. Otherwise ignore it and create a new session.

couldn't find a way to retrieve session id the first time session has been established and before it gets written to cookie. there might be a need to track session key/id for custom metrics purpose similar to how the session id is currently logged to logger.

It doesn't appear possible to set cookie expiration for a session. So, as you know, when the browser is restarted, the session is gone. This prevents the possibility of implementing "remember me"-like functionality. Are there plans to include session cookie expiration into the session package, or perhaps I am missing something as it is?

As far as i know if we want to implement Session in any normal class which is not a controller we can access the HttpContext by injecting IHttpContextAccessor.

So like:

private readonly IHttpContextAccessor _httpContextAccessor;

public SessionUtility(IHttpContextAccessor httpContextAccessor)
{
    _httpContextAccessor = httpContextAccessor;
}

I would like to know if there is any default wrapper is made for this or it is final implementation?

Reason for this is to update it in my Post which is here: https://neelbhatt40.wordpress.com/2015/09/07/implement-sessions-in-asp-net-5vnext-and-mvc-6/

I'm having difficulty getting session variables to persist across requests when using Microsoft.Extensions.Caching.Memory. Steps to reproduce are:

1. Create a new project using the ASP.NET 5 Web Application template in VS 2015 Update1, with no authentication.
2. Add the following to the end of the project.json file:

"Microsoft.AspNet.Http": "1.0.0-rc1-final",
"Microsoft.AspNet.Session": "1.0.0-rc1-final",
"Microsoft.Extensions.Caching.Memory": "1.0.0-rc1-final"

1. Amend the StartUp.ConfigureServices method as follows:

public void ConfigureServices(IServiceCollection services)
{
    services.AddCaching().AddSession().AddMvc();
}

1. Add app.UseSession(); to the beginning of the Configure method.
2. Add using Microsoft.AspNet.Http; to the HomeController class and amend the Index and About methods:

public IActionResult Index()
{
    HttpContext.Session.SetString("Message", "Hello World");
    return View();
}

public IActionResult About()
{
    ViewData["Message"] = HttpContext.Session.GetString("Message");
    return View();
}

When I add a breakpoint to the Index method, I can see that the Session _store has a Count = 1, but the backing store (_memCache) has 0 entries. When the About method is invoked afterwards, the session collection has 0 entries.

Am I overlooking something?

• Nuke ConfigureXyz
• AddXyz should have overload with Action<XyzOptions>

The "read me" content need to be change, because what i have seen is the content of the Caching repository https://github.com/aspnet/Caching

Can we have a way to cancel the current session, something looks like Session.Abandon(). This may related to the issue #20 because it should fire a onEnd event

Session is not maintained between web requests.

In Startup->ConfigureServices()
services.AddMvc();
services.AddCaching();
services.AddSession();

In Startup->Configure()
app.UseSession();
app.UseMVC(...)

I see the services.AddSession() has:
ServiceCollectionExtensions.AddTransient<ISessionStore, DistributedSessionStore>(services);

Should this be a scoped service?

There are many cases the require using more than Int & String, It will be nice if there's a generic version of getting and setting Session objects. I hope to see something like

context.Session.Get<bool>("isLoggedIn") 

Is it possible to run SQL backed Session while simultaneously using in-memory implementation for general caching?

If so, can you point me to some samples of how to properly configure the services to accomplish that scenario?

My use case is needing out-of-proc sessions (due to load balancing bouncing users around servers) while at the same time wanting the performance of in-proc caching for controller output fragments, etc.

Thanks!

After I get the latest changes specially "Update .kproj => .xproj", the VS can't load the projects properly

I'm curious why the session management system still doesn't implement something more secure like what is discussed http://www.dotnetnoob.com/2013/07/ramping-up-aspnet-session-security.html in great detail.

Is there something intrinsically wrong with the techniques outlined in that post? I ask out of ignorance, as someone who is looking to build a system with strong security in place.

Is there a plan to support the dnxcore50 ?

Hello,

Is it possible to imagine that ISession can be directly registered in the DI container ? Perhaps throught a factory that use the ISessionFeature ?
This is only to lighten syntax while using session. The HttpContext is not really testable and I think that injecting an ISession into my controller would be much easier than injecting ISessionFeature to finally get the ISession.

Thanks

I'm using an extension method on controller to set alerts using TempData which in turn depends on session, code for the method is as follows:

private static void AddAlert(
        this Controller controller,
        string alertStyle,
        string message,
        bool dismissable)
    {
        try
        {
            if(controller.Context.Session != null)
            {    
                var alerts = controller.TempData.ContainsKey(Alert.TempDataKey)
                ? (List<Alert>)controller.TempData[Alert.TempDataKey]
                : new List<Alert>();

                alerts.Add(new Alert
                {
                    AlertStyle = alertStyle,
                    Message = message,
                    Dismissable = dismissable
                });

                controller.TempData[Alert.TempDataKey] = alerts;
            }


        }
        catch(InvalidOperationException)
        {
            // happens if session is not configured
            // TempData depends on session
        }

    }

I don't like it that it I'm having to catch System.InvalidOperationException even though I'm checking if session is null. If I remove the check for null the error is not stopped by the try catch so it completely breaks the app if session is not configured. Adding the null check somehow made it possible to catch the exception.
Of course I can fix it by enabling session, but my code is in a library that I expect others to use and I don't want to force them to enable session if they don't want to. If they don't enable session I want the alerts feature to fail silently, it will be documented that to use it session must be enabled. But in that scenario I'm forced to keep swallowing the exception which seems undesirable.

Is there any way to detect if session is available without raising an exception?

Why AppVoyer & Travis dump 2 error which come from this commit 086b53d, I tried to build it in my end, but the same errors show up, seems doesn't recognize the new method, it shows "OnResponseStarting".
Are we missing a reference or the reference is not updated yet?!!

/cc @HaoK @Tratcher

With NLog users can log session values (e.g. to file).

In ASP.NET4 this works well, but with this library we have the following issues:

• This could lead to a stackoverflow, as DistributedSession.Load and DistributedSession.LoadAsync also writes log messages - we have made a work around this.
• Reading session could lead to exceptions: System.InvalidOperationException: Session has not been configured for this application or request.

How do we check (without writing a log message) if the session is available/configured, so that we can prevent these issues?

Related #99, https://github.com/NLog/NLog.Extensions.Logging/issues/28

Data of a session should be alive even when user does not 'access' the data but is still actively communicating with different parts of the application. So call refresh the session if not modified here
https://github.com/aspnet/Session/blob/dev/src/Microsoft.AspNet.Session/DistributedSession.cs#L121

/cc: @Tratcher

@muratg : I think we should do this for Beta6

Is there any plans to implement Session events (onStart, onEnd) which we have seen in global.asax before

As seen at #49 reading session ids aren't supported anymore?

Are there any plans to still get the session-id? Because this is a big breaking change - and in my opinion unneeded.

We need it for logging purposes. Maybe session-ids aren't perfect, but AFAIK there are still existing (but not readable).

If the cookie is marked as Secure (#106), bind it to the TLS token (https://github.com/aspnet/Security/issues/773, https://github.com/aspnet/IISIntegration/issues/31)

One of the larger complaints with Asp.Net 4 Session is that when the session provider goes down it takes down the entire site, when session may not be a critical component of the site.

We have not hardened the new implementation to handle this scenario. There are several TODOs in the code (https://github.com/aspnet/Session/blob/dev/src/Microsoft.AspNetCore.Session/DistributedSession.cs#L105) around suppressing session load failures. We even had an ISession.IsAvailable property to indicate this, but I think it was removed when nobody used it.

As we know that there many session management techniques are present such as InMemory, Distributed or even Database, some of them may takes long time to get or set the values in the store, indeed we need to support async as first class

My Project.json

"dependencies": {
"EntityFramework.Commands": "7.0.0-rc1-final",
"EntityFramework.MicrosoftSqlServer": "7.0.0-rc1-final",
"Microsoft.AspNet.Authentication.Cookies": "1.0.0-rc1-final",
"Microsoft.AspNet.Diagnostics.Entity": "7.0.0-rc1-final",
"Microsoft.AspNet.Session": "1.0.0-rc1-final",
"Microsoft.AspNet.Http": "1.0.0-rc1-final",
"Microsoft.AspNet.Http.Extensions": "1.0.0-rc1-final",
"Microsoft.AspNet.Identity.EntityFramework": "3.0.0-rc1-final",
"Microsoft.AspNet.IISPlatformHandler": "1.0.0-rc1-final",
"Microsoft.AspNet.Mvc": "6.0.0-rc1-final",
"Microsoft.AspNet.Mvc.TagHelpers": "6.0.0-rc1-final",
"Microsoft.AspNet.Server.Kestrel": "1.0.0-rc1-final",
"Microsoft.AspNet.StaticFiles": "1.0.0-rc1-final",
"Microsoft.AspNet.Tooling.Razor": "1.0.0-rc1-final",
"Microsoft.Extensions.CodeGenerators.Mvc": "1.0.0-rc1-final",
"Microsoft.Extensions.Configuration.FileProviderExtensions": "1.0.0-rc1-final",
"Microsoft.Extensions.Configuration.Json": "1.0.0-rc1-final",
"Microsoft.Extensions.Configuration.UserSecrets": "1.0.0-rc1-final",
"Microsoft.Extensions.DependencyInjection": "1.0.0-rc1-final",
"Microsoft.Extensions.Logging": "1.0.0-rc1-final",
"Microsoft.Extensions.Logging.Console": "1.0.0-rc1-final",
"Microsoft.Extensions.Logging.Debug": "1.0.0-rc1-final",
"Microsoft.VisualStudio.Web.BrowserLink.Loader": "14.0.0-rc1-final"
},

Install asp.net rc1 and when I download the asp.net session shows me the error: The dependency Microsoft.AspNet.Session> = 1.0.0-rc1-end Could not be resolved, not how to fix it.

thank you

It will be nice to move all string messages to a resource file for clarity also it be easy for localization purpose. Let me know if sound is good to create a PR for that
/cc @Tratcher

Consistency with other AddXyz() methods, also nit:

https://github.com/aspnet/Session/blob/dev/src/Microsoft.AspNet.Session/CachingServicesExtensions.cs

Copy paste issue with class/file names

I already uncomment the lines to use the Microsoft SQL Server implementation of IDistributedCache, but whenever I execute the dnx . install-sqlservercache command error show up in the command line

The session cookie needs the ability to have the 'Secure' flag set.

This depends on aspnet/HttpAbstractions#612.

Note we considered doing this in the past (#28), but we considered the Microsoft.AspNetCore.CookiePolicy middleware to be adequate. That's no longer the case because we want to apply token binding data protection based on if the cookie will be marked as Secure.

It will be nice if we provide a rich documentation for public APIs, because what i have seen that one or two classes have a proper documentation.

/cc @Tratcher

Are there any changes in Sessions like,

Previously it was:

Context.Session.Set(String, byte[])

and in beta 8 it is:

HttpContext.Session.SetInt32(String, byte[])

as shown here:

https://christopherhackett.co.uk/blog/2015/10/17/ASP.NET-5-MVC-6-renames-in-beta-8/

Though I tried to search but I am not sure about this change!

Hello,

we need to be compliant with various secure coding standards (and non-disclosure secure coding requirements) as for example the OWASP ASVS3.0.

I miss convenient methods to acheive
a) session id regeneration
b) access to the session id
c) "secure" cookie attribute.

If i simply missed them please point me there. Otherwise i would be glad to know the plans on these topics.

Is there a way to use Token passed in custom header instead of cookie to pass session ID?
As per docs only cookie can be used to pass session ID around.

We have microservice architecture with centralized session storage. A token based approach seems to be more suitable instead of keeping a domain level cookie to pass around.

As far as I remember correctly, in System.Web world, session locks the requests and only allows one request to go through at a time per session (I could be wrong). Is this also the behavior we get with this session middleware?

I want to provide session affinity for my web applications but I am not sure if the session middleware if the right choice to provide that. If it has the lock behavior I mentioned about, it wouldn't fit well.

The sessionid is already used in some parts like logging and creating sessions. With that in mind, it's strange that we can't read the sessionid when we use isession - it seems that sessionid is a important part of the whole session (otherwise why log it) .

Also in the previous versions of asp.Net, the sessionid was readable.

So please think of including sessionid in isession.

(limited Internet device now - mobile - so ignore the full lowercase names)

Is there a way to do "lazy" initialisation of the session - ie. start the session only when it's actually being used? At the moment, using the session middleware initialises the session on every single page regardless of whether it's actually used on that page, which prevents caching of every single response at a reverse proxy (as responses with cookies are not cacheable at any intermediary server). On my site, only certain pages uses the session, whereas others are fine without it (and I want to cache those pages in Nginx).

I looked at the current sample code for Distributed Cache for Session State using Redis. It was not clear to me where we configure the RedisCache connection information. Anyone know?

Adding session without adding caching always throws on first temp data access:

public void Configure(IApplicationBuilder app)
{
    app.UseSession();
    // Other code
}
public void ConfigureServices(IServiceCollection services)
{
    services.AddSession();
    // Other code
}

maybe AddSession could register caching by default if it's required anyways?
Because dependency injection says very little about what is wrong with me codez

I notice from couple months ago a strange behavior while I run the sample in Chrome browser, the visits session increment by two instead of one!! I upgrade the Chrome today, but the same behavior occurs, i'm not sure what causes this bug

Is there any concern about how this implementation doesn't appear to allow for concurrent write access to session data? If request A starts and reads from session, then request B starts, reads, and writes to session, and then request A writes to session and finishes, then the data data written by B is lost -- even if it's a different session variable that request B used.

While I love the fact that requests are not locked to maintain session integrity, there must be a way to maintain for concurrent requests to safely update the session. Could there be some change tracking added?

Tracking item for making changes as per API review.

Additional notes:

• To limit number of abstractions like ISession, ISessionFactory, ISessionFeature and ISessionCollection, one of the ideas is to remove Session property from HttpContext. Since Session is an optional feature any ways, we could provide an extension method on HttpContext like GetSessionAsync, which when called loads the session in an asynchronous way.
  The setting and getting of values is synchronous.

// In an Mvc action (pseudo code):
var session = await Context.GetSessionAsync();
session.SetInt32("key1", 100);

• Currently session data is loaded on-demand, i.e the first time a user tries to get/set a value in it. Users get/set the value using synchronous api, which forces us to do a blocking call when loading the session.
  Can we avoid this blocking call and make users use async api as the example in point 1 above? I think any change here would have an impact on backward compatibility too.
  Also the TempData feature in MVC uses Session internally and so if we want to make async changes, it would have to be reflected in TempData too.
• Let Session and TempData be synchronous as they are today for simplicity sake, but also provide asynchronous apis for users who are looking for more performance.

@Eilon @Tratcher @muratg

I am using sessions to manage application state in ASP.NET CORE and it's configured as below.

 services.AddSession(options =>
            {
                options.CookieName = ".my.Session";
                options.IdleTimeout = TimeSpan.FromSeconds(20);
            });

It's working on localhost but on remote IIS 8 it's not creating cookies so not able to get the values. I also have enabled CORS and don't know what exactly caused this problem. In log it's not showing error either. It's creating session getting stored id but no cookie at client side.

https://github.com/aspnet/Session/blob/dev/src/Microsoft.AspNet.Session/SessionMiddlewareExtensions.cs#L16