ASP.NET Session Variables Not Sticking

J01C0089I’ve stumbled across this problem twice in the last couple of months so I figure it is about time I blogged about it.

The situation is that you have  a page on your web site that sets a session variable and then redirects to another page that is expecting the variable to be there, only it isn’t there.

The first time this happened it was a browser specific (internet explorer) issue.

The second time it happened it seemed to be an email client specific issue.

The root cause in both cases is that the application was being framed.  In the first case a page on a domain was framing the two page application on another domain.  Because of this, the P3P security protection in IE was preventing cookies from sticking.  Since sessions are primarily cookie based, the sessions were not sticking.  The easy way to solve this issue is to add the P3P security headers to your pages.

The second time  this happened was a bit more puzzling.  But once we broke out Fiddler we were able to see that once again the cookies were not sticking.  Just like when we had intentionally framed the application.  In this case, the web-based email client was not adding target=”_blank” to the email so that a new window would be created.

Lesson learned.  If you are sending hyperlinks in email, add target=”_blank” to the link so that the link will still work in lame web-based email clients that don’t do this for you.

Related Post

Leave a Reply

Comment Policy:

  • You must verify your comment by responding to the automated email that is sent to your email address. Unverified comments will never show.Leave a good comment that adds to the conversation and I'll leave your link in.
  • Leave me pure spam and I'll delete it.
  • Leave a general comment and I'll remove the link but keep the comment.

Notify me of followup comments via e-mail