Token SessionState

ASP.Net JWT Token based SessionState Provider

The ASP.Net JWT Token based SessionState provider is a drop-in replacement for ASP.Net's default session state providers (in-proc, Asp.Net State Server, SQL Server) that is 100% stateless and requires no backend storage service.

This component was developed to totally remove the traditional session state bottleneck scaling issues on a +100,000K concurrent users corporate ASP.Net project.

Advantages:

  • Drop-in replacement, no changes to your code are needed
  • Scale better than any other centralized store, as no session storage backend is needed.
  • Faster than any other session storage, as no data needs to be retrieved from any session storage
  • Consumes no server resources for session storage
  • Default non-blocking implementation: concurrent request won't block each other and hold a lock on the session
  • Horizontally scale your application: because the session data travels with the request itself you can have multiple web heads without worrying about session sharing.

How does it work:

  • Session data is embedded inside a JWT and sent to the client through a Cookie
  • The server decodes the incoming cookie on every request to populate the session data.
  • The server only sends new cookies to the client when the session data changes, or every couple of minutes in order to implement sliding session expiration.

Limitations:

  • Most web servers have HTTP header size limits that range from 8K to 48K (this is configurable). Because cookies travel in HTTP headers, there is a size limit fro the contents of the session of about 6K of data if don't modify your server's defaults. It is very rare to reach this limits with regular usage of session storage, but that depends hugely on what your application stores inside the user session.
  • Sessions are not tracked anywhere on the server. You cannot invalidate a specific user session.

Security:

  • By default, the contents of the JWT are not encrypted. Although it is difficult to reverse engineer the session contents (they are not stored as JSON data but as a direct object memory serialization), this is doable with some effort if you know how this provider works.
  • We have an offering of an ecrypted JWT version of the service where the session contents are fully encrypted, but that comes at the cost of a bigger JWT token size, so you have more limits on to how much content you can store in the session before you reach HTTP header limits for your server.

How to deploy:

Add these settings to your web.config and you are ready to go:

<system.webServer>
  <modules>
    <remove name="Session"/>
    <add name="Session" type="System.Web.SessionState.SessionStateModule" preCondition="integratedMode"/>
  </modules>
<system.webServer>

</system.web>
  <sessionState timeout="10" cookieless="false" regenerateExpiredSessionId="true" mode="Custom" customProvider="TokenAsyncSessionStateProvider">
    <providers>
      <add name="TokenAsyncSessionStateProvider" type="DrupalOnWindows.Session.TokenAsyncSessionStateProvider"/>
    </providers>
  </sessionState>
</system.web>

Licenses

The licensing scheme is very simple: You buy it once and get access to the source code (private Gitlab repository) + unlimited usage for your projects*. Access to the repository only lasts for a year (12 months). All updates done to the software during that period are included in your license. This is a lifetime license, you can keep using the code even if your access to the repository ends.

Implementation

Delivery Instructions: after purchase send an e-mail to info@drupalonwindows.com with a Gitlab e-mail address of your choice. This address/account will be given access to a private GIT repository with the source code.

10 DAY MONEY BACK GUARANTEE: IF YOU FIND A BUG IN OUR SOFTWARE DURING THE FIRST 10 DAYS AFTER PURCHASE THAT WE CANNOT SOLVE YOU GET YOUR MONEY BACK.

 

* YOU ARE ALLOWED TO USE AND MODIFY THE SOURCE CODE, AND TO EMBED IT INTO YOUR APPLICATIONS, BUT NOT TO REDISTRIBUTE, RE-LICENSE OR MAKE ANY OF THE SOURCE CODE PUBLICLY AVAILABLE.

Copyright (C) 2020  David García García - david dot garcia at drupalonwindows dot com
This program is not free software: you can use it and modify it but not convey it or any derivate works.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
A full copy of the license can be obtained here: http://www.drupalonwindows.com/en/content/paidware-terms-and-conditions