HttpContext.Current.Session["CslaPrincipal"] is being set to null somewhere and throwing an error in global asax

HttpContext.Current.Session["CslaPrincipal"] is being set to null somewhere and throwing an error in global asax

Old forum URL: forums.lhotka.net/forums/t/2811.aspx

dstarkey posted on Wednesday, May 02, 2007

Hello everyone,

I am totally dumbfounded.  I keep getting a null reference to the

HttpContext.Current.Session object and more specifically

HttpContext.Current.Session["CslaPrincipal"];  I see this value get set, but somehow the session object is reset to null.  I am using state server. 

Here is my global asax code:

protected void Application_AcquireRequestState(object sender, EventArgs e)
{
   if (Csla.ApplicationContext.AuthenticationType == "Windows"
      return;

System.Security.Principal.IPrincipal principal;
try
{
//Throwing the null reference here, but does initially work, ??? State Server issue???
      principal = (System.Security.Principal.IPrincipal)   HttpContext.Current.Session["CslaPrincipal"];
}
catch
{
principal = null;
}

if (principal == null){

// didn't get a principal from Session, so
// set it to an unauthenticted SPrincipal

Synergy.Library.Security.SPrincipal.Logout();
}else{

// use the principal from Session

Csla.ApplicationContext.User = principal;
}

Session value is initially set in this code snippet from the index page.  I have stepped throught the code and verify that these values are indeed set!  However in the midst of running the application the global asax throws a null refererence exception for my HttpContext.Current.Session["CslaPrincipal"]  session object. 

Synergy.Library.Security.SPrincipal.Login(user, pw);
userId = Csla.ApplicationContext.User.Identity.Name;

if (Thread.CurrentPrincipal.Identity.IsAuthenticated)
{
HttpContext.Current.Session["CslaPrincipal"] = Thread.CurrentPrincipal;
HttpContext.Current.User = Thread.CurrentPrincipal;
GetAuthorizedCompanyList(userId); //slower on login, but once done lightning fast

FormsAuthentication.RedirectFromLoginPage(user, false);
}

PLEASE HELP, NO IDEA OF WHERE TO EVEN LOOK REGARDING THIS PROBLEM.

 

RockfordLhotka replied on Wednesday, May 02, 2007

What version of CSLA are you using? (there was a bug in some older versions)

Are you using IIS or Cassini for hosting? (Cassini is broken in this regard)

Are you sure Session has actually been restored by the time your code is running? In other words, are other Session variables present in Session at that time?

dstarkey replied on Wednesday, May 02, 2007

1) Csla 2.0

2) IIS

3) You were correct Session had not had enough time to be restored.  So fixed problem in the following way in the global.asax

 

        if (HttpContext.Current.Session == null)
        {
            Synergy.Library.Security.SPrincipal.Logout();
        }
        else
        {
            System.Security.Principal.IPrincipal principal;
            try
            {
                principal = (System.Security.Principal.IPrincipal)HttpContext.Current.Session["CslaPrincipal"];
            }
            catch
            {
                principal = null;
            }
        }

Thanks for your help!

RockfordLhotka replied on Wednesday, May 02, 2007

I'm glad you resolved the issue.

If you are actually using 2.0.0, I would recommend moving to 2.0.3, as there are some important bug fixes in those point releases. (www.lhotka.net/cslanet/download.aspx)

JoeFallon1 replied on Thursday, May 03, 2007

This issue has come up in different forms since ASP.Net 2.0 came out.

I think the real cause is that AcquireRequestState can be called multiple times for the same request!

I am not clear as to how or why this happens but depending on your environment and what 3rd party controls you use, you need to know that it can be called more than once and that sometimes the Session is not present.

I changed my code to something like this a while back:

Private Sub Global_AcquireRequestState(ByVal sender As Object, ByVal e As System.EventArgs) Handles MyBase.AcquireRequestState

'JF 10/26/06 - test for existence
If System.Web.HttpContext.Current.Session Is Nothing Then
  Exit Sub
End If

etc.

Joe

ForteUnited replied on Saturday, July 19, 2008


JoeFallon: Nice work man! I thought I was going nuts.... at first I thought maybe my session had actually expired but my FormsAuthentication hadn't expired. I noticed that FormsAuth timeout is defaulted to 30 mins and Session timeout is defaulted to 20 mins, so I made them both the same. This was a good find but it didn't explain why it this was happening to me because every time it occurred I was actively developing and making round trips to the server which should have updated my sliding window on the timeouts.

After reading your post I went back and put a breakpoint in the the AquireRequestState method and sure enough it gets hit several times per request occassionaly and during those multiple hits Session is NULL!


ROCKY: Please update the ProjectTracker app with this fix, would have saved me tons of headache and time!

Thanks!

Copyright (c) Marimer LLC