Why do ASP.NET sessions not shared between multiple IE processes
It was always one of the axioms in the back of my mind that when you open a window in Internet Explorer using Ctrl+N it has the same session in ASP.NET apps like it’s parent window, but if you run a new process of Internet Explorer it has a different session.
Well… today I had to check why does it happen.
The first step is to get familiar with two different kinds of cookies: the first is a cookie with an expiration date (AKA persistent cookie) this cookie will be saved to the disk and will be available for use until the expiration date. The second type is a cookie without an expiration date (AKA per session cookie) this cookie will be saved in the RAM and therefore deleted when the browser is closed.
Now understating the ASP.NET session issue is pretty simple: the HTTP Module which is responsible on session (SessionStateModule) creates a cookie named ASP.NET_SessionId, the cookie is created without an expiration date (per session cookie), because different processes of IE don’t share the same RAM the new process is not aware of the cookie, and the HTTP module issues a new session ID.
- ASP.NET session can work without cookies (by setting the key cookieless="true" in the sessionstate section of the Web.Config) in such case the session ID will be part of the URL.
- This behavior occurs in IE 6 and IE 7, IE 8 has a different process model where each tab is a process and there is shared memory between the processes (to hold the per session cookies and other stuff) – this behavior is similar to Google Chrome behavior.