NOTE: This post has nothing to do with ASP.NET Session State.
I have an ASP.NET Core v1.1 web app running in production. One of the business requirements of this app is to track user actions from the time they arrive at the site until they leave.
A "Session Id" is created through the use of a simple Middleware that inspects the request for a "Session" cookie and if not present, enters a new record in the database, retrieves the id, and writes the id to the cookie (facilitated by ISessionLogger).
It then redirects the user to the current url to write the cookie. It looks like this:
public async Task Invoke(HttpContext httpContext, ISessionLogger sessionLogger)
// This checks for the cookie
// This implicitly creates the session and writes the cookie
// Redirect to the current url, so the cookie sticks
I have the middleware wired up in Startup.cs, like so:
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
app.UseSessionLogger(); // <--- wired up here
This has been working as expected without issue until recently.
The business owner started complaining about
multiple session entries getting written in succession, usually in groups of 15-20 within a matter of 10 milliseconds of each other.
After hours of troubleshooting without being able to reproduce, we eventually narrowed the issue down to the business owner's iPhone.
It seems there is some pre-fetch feature in Safari that is querying the site in the background even when there are no tabs open. After closing all tabs, force closing the app, and restarting, it would consistently create 17 new sessions.
I added logging in IIS, including the Cookie header, and for these requests, the cookies are never added to the response. No exceptions are thrown either.
The IIS logs show they are accessing the site's root URL and getting a 302 response (from my middleware), but there are no cookies on the response.
It's possible that the 17 is a a limit set in safari to prevent an infinite redirect loop.
This leaves me with a few questions:
- Is Middleware the ideal way to be doing what I'm doing?
- What process in Safari on iPhone is likely responsible for this?
- Why weren't these responses getting the cookie header?
- Lastly, how can I identify these requests? Are there headers I can look for?