Lazy initialisation of session about session HOT 4 CLOSED

I guess I could do this by having my own middleware that wraps SessionMiddleware and only uses it when I know a session is needed (otherwise, bypass it and go directly to the next middleware).

Even so, it would be good to be able to have "session free" controllers that don't start a session. WebForms has enableSessionState which allowed you to enable or disable session on a per-form basis, maybe MVC could have an attribute for that? I also think the session in prior versions of ASP.NET MVC isn't initialised until you explicitly use it, but I'm not 100% sure about that.

from session.

The SessionMiddleware is already designed to be lazy. See https://github.com/aspnet/Session/blob/dev/test/Microsoft.AspNet.Session.Tests/SessionTests.cs#L28. If it's failing to be lazy that's probably an issue in consumption (MVC?).

That said, your described behavior sounds bizarre, Set-Cookie and no-cache should only be set on responses that didn't have the request cookie to begin with (and only if session was actually written to). Even if session weren't lazy, it shouldn't write the cookie to every response.

from session.

If it's failing to be lazy that's probably an issue in consumption (MVC?).

I'm also using identity/authentication, so it might be something in that middleware. I'll do some investigation and close this out if the issue is elsewhere.

Even if session weren't lazy, it shouldn't write the cookie to every response.

Sure, but after the cookie is set, it's sent in every request from then onwards (via the Cookie request header). Proxies may be set up to not cache any requests that contain a cookie, as the server-side response may vary depending on the cookie. For example, if I have an admin section that is only available when I'm logged in, I wouldn't want any of its responses to be cached at a proxy at all, just in my browser.

In my case, I'm using nginx (via Mono FastCGI for ASP.NET 4, and as a reverse proxy to Kestrel for ASP.NET 5), and I explicitly turn off caching if there's a session cookie:

map $http_cookie $logged_in {
    default 0;
    # Never cache responses if they have auth cookies in them
    ~ASPXAUTH 1;
    ~.MONOAUTH 1;
    ~.AspNet.Session 1;
}

...
    # Scenarios where we don't want to cache
    proxy_cache_bypass $logged_in;
    proxy_no_cache $logged_in;

This is working with the current ASP.NET 4 site, as it is not setting the ASPXAUTH cookie until the session actually begins (so logged out users correctly get the cached responses). In theory (based on your comment) it should be working on the ASP.NET 5 site too, I just need to figure out what's initialising the session too early.

from session.

Okay I figured it out. MVC is setting __ControllerTempData to an empty byte array when it loads the temp data: https://github.com/aspnet/Mvc/blob/ff6cbfd7cf93f1bb85e5a3ef24bb4c9a9d7cd38e/src/Microsoft.AspNet.Mvc.ViewFeatures/TempData/SessionStateTempDataProvider.cs#L145-L147. This means that there's always data in the session when accessing MVC TempData, and thus it always initialises it. It seems intentional based on that code. I had a TempData["message"] in my _Layout.cshtml.

For now I'll just get rid of TempData in my code.

from session.