Session Management

Version 1
    This document was generated from CDN thread

    Created by: Itay Even Hen on 26-01-2010 09:05:18 PM
    I have a custom service that requires authentication in front of web server (ASP.NET).
    The product of successful authentication stores some information on the session.
    When the server get a request that does not include this information, the user is being redirected back to the login page.
    We've identified that Sometime, after this autheticating, and running other applications/services, this session information is lost, and the user is redirected again to the login page. This is very frustrating from the user's perspective, since he is required to type his username and password again (it can also happen 1 minute after the previous login).
    I know that the server didn't terminate the session (it should last 20 minutes by default), and therefore i guess that the phone ran out our resources and cleaned the session information.
    How can i make sure that this is indeed the case? is there any log on the phone itself that can explain this behavior?
    Is there anyway to avoid it or any alternative to overcome that?

    Subject: RE: Session Management
    Replied by: David Staudt on 26-01-2010 10:50:21 PM
    My understanding is that the phones can store up to 10 cookies, up to 255 byes each, which are retained for 30 minutes.
    If you are seeing something that doesn't fall within those parameters - for example a cookie being lost after 1 minute - then that doesn't sound right.  It may be useful to gather a network packet capture - i.e. via Wireshark on a PC attached to the phone's extra PC switch port - to see exactly what is passing back/forth to the phone in the HTTP packets.
    Feel free to post the pcap here if you can't spot anything.

    Subject: RE: Session Management
    Replied by: Jonathan Withers on 27-01-2010 08:36:44 AM
    You could always try using cookie less sessions. If you do this then the sessions information will be stored within the query string. When using devices like IP Phones this is a more reliable way of ensuring the session isn't lost by the low spec client.

    Subject: RE: Session Management
    Replied by: Itay Even Hen on 03-02-2010 08:16:25 PM
    We've just discovered, that each time that the user click the 'Services' button, new session is initiated by the phone (it seems like it clears the previous data).
    Is that by design of the Cisco phone?  According to the documentation of the SDK, it shouldn't work like that.
    Jonathan - as for your idea - it does not sound reasonable that it would work. Each time the user clicks the 'Services' button, the original URL is being used (without the session id). as a result, the server won't be able to recognize the session parameters and retrieve the data.

    Subject: RE: Session Management
    Replied by: David Staudt on 03-02-2010 09:32:54 PM
    Unless 30 minutes have expired, I agree I think the phone should be providing the cookie if it is retrieving from the same host.  Please provide:
    - Model of phone
    - Phone firmware version (also try upgrading to the latest available)
    - Network packet capture of a complete test run (from phone boot-up through capture of the 'failure' result)

    Subject: RE: Session Management
    Replied by: Yochay Alufer on 04-02-2010 08:15:00 AM
    Hi David / Jonathan,
    I'm with Itay on this one...
    - The model of the phone is 7940. I simulate it also using Cisco IP communicator
    - I send back to the phone in my first response a cookie attached with a GUID I need for loging in to my application.
    - While the session is opened , I can see the cookie sent from the phone with each URL request.
    - If I press the services button , the session is deasd , and the cookie is not sent back when trying to get the first service again.
    - I even tried cookieLess mode. When I press the service it says "Invalid Host" , even that with a regular browser I get to the page.
    Please Advice , Thanks! 

    Subject: RE: Session Management
    Replied by: Jonathan Withers on 04-02-2010 08:48:05 AM
    Ok, i understand the issue and it's due to the implementation of the buttons on the phone hardware.

    There is a solution but will require some work. You will need to write your own state management server. This will need to get the deviceId from the incoming request and map to the data that you are storing. This service will also need to be responsible for controlling the lifetime of you state and how long it should be availble.  I've not implemented this before but i've done some similar things, if you need a hand then let me know.