- Q1: How does the performance rate? - answer
- Q2: How do I customize the ISP Session cookie? - answer
- Q3: How secure is your component? - answer
- Q4: What is the difference between version 5.5 (as of March 01, 2010) and 5.4? - answer
- Q5: Is ISP Session leak free? - answer
- Q7: Can ISP Session run on Windows x64 in IIS 32-bit mode? - answer
- Q9: Who are your clients? - answer
- Q10: How did you carry out the test? - answer
- Q11: How can I get support? - answer
- Q14: I like the LiquidCookie feature, but isn't it difficult to prevent a
user clicking on 'back' and receiving a 'session expired' message? - answer
- Q15: Is your cookie/URL encrypted? - answer
- Q20: How does it work internally? - answer
- Q22: How many and what types of object can be stored inside the ASP session? - answer
- Q23: What is recommended: querying my database or storing an ADO record set in the
- Q26: Which data type(s) can ISP Session handle?
- Q27: Does ISP session rely on Microsoft's session object? - answer
- Q44: Which third party DBMS do you use for Session Storage, MS SQL/Oracle or My SQL etc.? - answer
- Q45: I'm testing ISP Session and found that the pages time-out why? answer
- Q47: Does ISP Session support web gardens (IIS 6 and higher)? - answer
- Q51: I cannot share my session cookie with another host on the same web farm, for example: http://test1.mysite.com and http://test2.mysite.com while I do have the Application("AD_DOMAIN") = ".mysite.com" setting. - answer
- Q52: How can I share a session between a secure website and an unsecure website? answer
- Q54: How compatible is ISP Session with ASP.NET (any version) - answer
- Q55: Will you create a similar component for ASP.NET 2.0? - answer
A1: Simply great! The numbers vary because of hardware and software differences and improvements, but in brief: Create a simple
ASP page with a small incremental Session counter. For a simple 64 bit system we measured 400 ASP page requests per second.
One customer reported that he has average load of 7000 asp user sessions per minute on his web farm.
Of course the performance is slower than the native session object but the scalability
is much better. This means, for example, that a standard ASP solution could easily handle 100 users, but with 1000 users it starts to groan. In contrast, our solution
would still be happy.
A2: For clustering sites with several hosts like
www.yourdomain.com and news.yourdomain.com etc you need to set the cookie
domain property in Global.asa, see Application("AD_DOMAIN") = ".yourdomain.com".
Of course a sub-path on Application("AD_PATH") = "/yourpath" can to be set too if you need to share the session cookie with several virtual directories. For
each shared ASP Application you should set the variables as explained in the 'Readme.rtf' document.
A3: Security is one of our most important goals
with this component. The session tokens are generated on a random basis
(1 on 3e+38) using an RSA session token.
The token is sent to a browser as a cookie or inside the
URL to maintain the session between the
web server and user. Since a network sniffer can pick up any local HTTP
traffic, SSL is the only viable option to make your HTTP traffic secure. Any other encryption without using a
public-private key algorithm is vulnerable. Using any legacy hash mechanism, over HTTP, intead of HTTPS, would give you a false feeling of security.
We should mention that you can buy the source
code and compile it yourself if any other security concern would exist.
Please read the license agreement before doing so.
Using session tokens inside a URL is slightly more unsafe than using normal
'temporary cookies' because temporary cookies are stored in RAM and
expire after closing the browser. However, URL's containing session
id's are valid after the user closes the browser as long as the
timeout period did not expire. This is not an issue if client computers are not shared among different users.
About internal security. ISP Session always uses length prefixed buffers. So is not sensitive to buffer overflows. The storage mechanism uses a binary format plus compression. So, without special tools, nobody can read persisted session data easily.
- The SessionPing component has been dropped. ISP Session automatically 'pings' if no data has changed
- The need for a third party database (ie. Microsoft SQL Server) has been removed.
- It is tested and supported on Windows 2003 sp2 up to Windows 2008 R2
- SETUP is simplified since no SQL database setup is required.
- Compression performance has been improved.
- native Support for ISessionObject and IVariantDictionary have been (re)added.
This is ideal for legacy applications and a minimal code change when you would implement ISP Session
- ISP Session 5.5 is a hybrid component. It uses both the best of unmanaged code and managed code
- The code footprint for ISP Session is considerably smaller since it uses no third party drivers like OLEDB or SQL Native Client anymore.
Therefore, the memory and runtime requirements therefore, are less strict.
- 5.5 does not need SQL server and the state server uses considerable less CPU resources compared with 5.4 using SQL Server
- Version 5.5 is not binary compatible with previous versions. If you want to migrate, please contact us.
- In short, more tuning, less overhead.
- 5.5 does not use a JIT pattern on persisted COM objects (such as ADO or DomDocument). At each page request, all objects which were stored in the Session will be reactivated at page construction time.
A5:We have done as much as possible tests to resolve leaks. The results are viewable (look at the horizontal private bytes line!) see this image
The image shown here, does not represent a scalability benchmark. It was used only to find leaks. Also, IIS had been set to low-application protection, so we measured 'Inetinfo.exe private bytes'
- A7: Yes, ISP Session can. However, before built 184.108.40.206, SETUP did not prepare for such installation. If you download the latest version, SETUP will make the required settings. Still, older 32-bit ISP Session DLL (Csession.DLL) read the HKLM\Software\Wow6432Node\NWCtools node. The mentioned version, has been fixed to read the HKLM\Software\NWCtools node, even if the IIS application, runs in 32-bit compatibility mode (ie. the enable32AppOnWin64 setting is set to true).
For a special price, you can upgrade to the latest, revisioned version. If you however, stick your your current release, you'll have to manually transfer the registry key values, to the first mentioned node.
A9: Our clients include Canadian Railways, slimfast (US), Intellipro (US), EDS (Germany), Accenture (US), EZprints (US), Innovative Process Administration (US), Cognisoft (UK), Promissor (UK), ABW Tech (UK), Federal Mediation and Conciliation Service(USA), Identex Ltd (UK), Lockwood Greene (US), Syntec (UK), Vodafone (Ireland), Coldwell Banker Prime Properties (USA), State Digital (UK), Computershare (Australia), Undernet (Latvia), C2Softare (UK) and many more.
A10: We ran long tests using a stres test tool (WCAT) to
see how the memory line and performance line would behave. Our tests allowed
us to identify and solve many problems (such as leaks). Our
downloadable demos helped us check conformance and reliability.
A11: You can hire us. National borders are no
obstacle. You can call us to make arrangements, or you can email any
questions about the component. Most questions will be answered within a day.
A14: You're right. If you have set this feature in
combination with the URL cookie, a user really is forbidden to
click on 'back' or press Ctrl-R (reload). This won't happen when you use a
normal cookie to keep the session because the browser will always fetch the
new cookie and send it back to the server.
This is one drawback of not using cookies. Unless you want to scare users
with an occasional 'expired session' message, you'll have to choose a
client-side solution for the 'back' or 'refresh' button using Java script. A
common trick is to use location.replace("newurl.htm");. The
replace function, which is available in IE 4 and NS 4 (or wherever), will
prevent the browser history queue from being built!
A15: No, it is not encrypted. Even if we were to encrypt it, it would not prevent a sniffer
intercepting the session token.
Because SSL was designed to ensure secure traffic, it's better to implement
SSL on your website if you want to protect the session token.
But, maybe, your question is related to the question: 'is your session token, predictable?'
No, it is not.
A20: We basically wrap a stream to serialize session data to or from, each time an ASP page is requested.
The stream is unzipped and unpacked to a lightweight
key indexed property store (or a dictionary), that can contain almost any type of data.
When the ASP Page enters the destructor, the stream is compressed again and written to the state server using TCP Sockets.
The database ensures that no concurrency trouble exists, by utilizing a so-called 'timestamp'.
- A22: On our demo web server a persisted
object with 160 kB data needs 30 ms to be fetched. Your web
server and DBMS might show better numbers, but in general a small ADO record
set needs about 2Kb. So be careful not to store too many objects in
Any class (ADO or FreeThreaded DomDocument) that supports IPersistStream or IPersistStreamInit can be serialized. See our sample on the subject on persisting a COM component written in CPP.
A23: We cannot say which is faster because it depends
on your query. If your specific DBMS query is a heavy and demanding query that is required on more than just one ASP page,
it would be better to store the query output in the Session.
A26: It is compatible for normal oleautomation compatible data
and arrays plus the System.Int64 datatype (VT_UI8 and VT_I8). For objects it is not compatible. In view of the
scalability arguments explained above, we choose non-compatibility for
objects. In addition, only persistable COM objects are supported ie. they support either interface IPersistStream or interface IPersistStreamInit.
Those objects that you want to store in the Session, must be single Session variables, so you cannot persist arrays of objects.
A27: The ASP Session component is independent of
Microsoft's session object. For reasons of scalability, it would be bad
practice to build a dependency between them. It is better that the Microsoft
Session manager is switched off. You should not use them both.
A29: LogonUser does work when the ASP application is
configured to run in-process. When you configure your ASP application to run
inside a pooled application or out-of process, give the IWAM_Computer account
the 'run as part of the os' right using the Domain Policy editor in Windows
2000. This right becomes effective after the web service is restarted and the
AD synchronization is completed.
- A36: Yes, the
downloadable demo contains modified scripts that use Jscript. Events such as
Session_OnStart and Session_OnExpired, however, cannot be supported.
- A44: ISP Session 5.5 is using a custom binary database service. So there is no third party DBMS needed.
There is no single simple answer to this. ISP Session is very scalable, however, sometimes an environment, requires too many Session refreshes for the same session.
This might cause lots of DBMS page locks.
If this is the case, make sure, you don't use HTML frames and that you avoid Session.Transfer or Session.Execute (these are the compatible method replacement for Server.Transfer and Server.Execute).
- A51: Using a HTTP packet sniffer, we found that IE 6 badly deals with cookies that include a domain property. (This property can be set using for instance with ASP with Response.Cookies("mycookie").Domain = ".domain.com") .
IE would pile up the GUID cookie in the RequestVariables collection instead keeping one unique cookie. FireFox 1.0 does not exposure this behaviour.
Work around 1
Apply the CookieExpires setting in global.asa.
'insert line below or uncomment it.
Application("CookieExpires") = 20
The cookie will have the .Expires setting which makes the cookie a persistent cookie on the client disk. Some users deny all cookies so you should include a test for browsers that deny persistent cookies for your web farm.
Work around 2
Design your network configuration in such a way that your Web Farm is accessable using one hostname such as 'www.yoursite.com'. Your smart router hardware or software should
balance the traffic among the web servers in your webfarm.
You could use Microsofts network loadbalancing for instance.
Work around 3
If you want to redirect to another website, but not using cookies (because of the IE bug) you can use the idea below:
Session.ReEntrance = True
We feel sorry for the inconvenience in this lack of Internet Explorer's behaviour.
- A52: At first, you should know, that if you share an unsecure session with a secure session, you void the security of the https session, since a network sniffer, could retrieve the cookie and use identity theft on the https session!
However, we have made ISP Session as safe as possible for you
The steps to follow to share a session and to fix the security hole you create by sharing a http session with https.
- In global.asa set Application("CookieNoSSL") = True.
- Just before you redirect to https set Session.ReEntrance = True, this allows a browser to continue a session while the hostname or even the complete URL changes.
- At the redirected page, you disable ReEntrance again by Session.ReEntrance = False. If you go back to http, you should repeat the same trick.
- To fix the security hole of sharing secure between unsecure (and vice versa) you should set Session.LiquidCookie = True in Session_OnStart.
Note that you should thoroughly test your site after setting this option. LiquidCookies causes a session key to be valid for just one page request, after that request, a new key is automatically generated and established with your browser! So if a browser misses just one request, the session is lost.
- a47: Yes, you can configure your IIS 6 classic asp application, to utilise web gardens. ISP Session has no problem with gardens, since it is not affiliated to a process or a thread.
- a54: ISP Session is an in-proc, leight weight COM+ component and can run in interoperability mode with .NET.
So, if you are at the process of converting classic asp to ASP.NET, ISP Session would be ideally.
However, ISP Session is not yet a 'native' .NET replacement. So, ISP Session is not recommended for 100% native ASP.NET projects but just for interoperability between asp and asp.net.
- a55: We have received a few requests but there seems no such market that justifies an investment to create a native-full-featured .NET equivalent that performs better than the built in one. If you need session state in an ASP.NET 2.0 environment, we suggest that you stick to the built in engine and optimize pages by using the readonly attribute for instance.
Updated: Monday, March 01, 2010