Introduction to the method of realizing session sharing in redis

Introduction to the method of realizing session sharing in redis

Session implementation principle

session and cookie are two objects commonly used in web development. Will there be any connection between them?

What are cookies?

Cookie is a small piece of text information that is passed between the web server and the browser along with user requests and pages. Cookies contain information that a web application can read each time a user visits a site.

Note: Cookies will be passed to the server with each HTTP request, excluding static files such as js, css, images, etc. This process can be analyzed from fiddler or the network monitoring that comes with IE, considering performance. You can start by minimizing cookies

The process of writing cookies to the browser: We can use the following code to write a cookie in the Asp.net project and send it to the client's browser (for simplicity, I did not set other attributes ).

HttpCookie cookie = new HttpCookie("RedisSessionId", "string value");Response.Cookies.Add(cookie);

Introduction to the method of realizing session sharing in redis

We can see that the cookie written on the server will be written to the browser through the response header Set-Cookie.

What is Session?

Session We can use it to easily save some session-related information on the server side. Such as common login information.

Session implementation principle?

The HTTP protocol is stateless. For multiple requests issued by a browser, the WEB server cannot distinguish whether they originate from the same browser. So in order to distinguish this process, the server will distinguish the request through a sessionid. How is this sessionid sent to the server?

As mentioned earlier, the cookie will be sent to the server with each request, and the cookie is invisible to the user. It is best to use it to save this sessionid. Let's verify it through the following process.

Session["UserId"] = 123;

Introduction to the method of realizing session sharing in redis

The relationship between session and cookie is verified again through the above picture. The server generates a cookie setting operation. The sessionid here is used to distinguish the browser. In order to experiment with different browsers, you can try logging in under IE, and then open the same page in chrome. You will find that you still need to log in in chrome because chrome does not have a sessionid at this time. httpOnly means that this cookie will not be operated through js on the browser side to prevent artificial modification of the sessionid.

The default key value of asp.net sessionid is ASP.NET_SessionId. You can modify this default configuration in web.config

<sessionState mode="InProc" cookieName="MySessionId"></sessionState>

Server-side Session reading

How does the server read the value of the session? Session["key value"]. So the question is, why can this Session object be obtained in the Defaule.aspx.cs file, and when was this Session object initialized?

In order to clarify this problem, we can view it by going to the definition.

System.Web.UI.Page ->HttpSessionState(Session)

protected internal override HttpContext Context {
[System.Runtime.TargetedPatchingOptOut("Performance critical to inline across NGen image boundaries")]
  get {
       if (_context == null) {
           _context = HttpContext.Current;
       return _context;
 public virtual HttpSessionState Session {
        get {
            if (!_sessionRetrieved) {
                /* try just once to retrieve it */
                _sessionRetrieved = true;

                try {
                    _session = Context.Session;
                catch {
                    //  Just ignore exceptions, return null.

            if (_session == null) {
                throw new HttpException(SR.GetString(SR.Session_not_enabled));

            return _session;

The above paragraph is where the Page object initializes the Session object. You can see that the value of Session comes from HttpContext .Current, and when was HttpContext.Current initialized? Let’s look down.

public sealed class HttpContext : IServiceProvider, IPrincipalContainer

        internal static readonly Assembly SystemWebAssembly = typeof(HttpContext).Assembly;
        private static volatile bool s_eurlSet;
        private static string s_eurl;

        private IHttpAsyncHandler  _asyncAppHandler;   // application as handler (not always HttpApplication)
        private AsyncPreloadModeFlags _asyncPreloadModeFlags;
        private bool               _asyncPreloadModeFlagsSet;
        private HttpApplication    _appInstance;
        private IHttpHandler       _handler;
        private HttpRequest        _request;
        private HttpResponse       _response;
        private HttpServerUtility  _server;
        private Stack              _traceContextStack;
        private TraceContext       _topTraceContext;
        private Hashtable          _items;
        private ArrayList          _errors;
        private Exception          _tempError;
        private bool               _errorCleared;
        private IPrincipalContainer _principalContainer;
        internal ProfileBase       _Profile;
        private DateTime           _utcTimestamp;
        private HttpWorkerRequest  _wr;
        private VirtualPath        _configurationPath;
        internal bool              _skipAuthorization;
        private CultureInfo        _dynamicCulture;
        private CultureInfo        _dynamicUICulture;
        private int                _serverExecuteDepth;
        private Stack              _handlerStack;
        private bool               _preventPostback;
        private bool               _runtimeErrorReported;
        private PageInstrumentationService _pageInstrumentationService = null;
        private ReadOnlyCollection<string> _webSocketRequestedProtocols;

HttpContext contains our commonly used Request, Response and other objects. HttpContext starts with the ASP.NET pipeline. Taking IIS 6.0 as an example, in the working process w3wp.exe, Aspnet_ispai.dll is used to load the .NET runtime (if the .NET runtime has not been loaded yet).

IIS 6.0 introduces the concept of application pool. A worker process corresponds to an application pool. An application pool can host one or more Web applications, and each Web application is mapped to an IIS virtual directory. Like IIS 5.x, each Web application runs in its own application domain.

If the HTTP request received by HTTP.SYS is the first access to the web application, after the runtime is successfully loaded, an application domain (AppDomain) will be created for the web application through the AppDomainFactory.

Subsequently, a special runtime IsapiRuntime is loaded. IsapiRuntime is defined in the assembly System.Web, and the corresponding namespace is System.Web.Hosting.

IsapiRuntime will take over the HTTP request. IsapiRuntime will first create an IsapiWorkerRequest object to encapsulate the current HTTP request, and pass the IsapiWorkerRequest object to the ASP.NET runtime: HttpRuntime. From this point on, the HTTP request officially enters the ASP.NET pipeline.

According to the IsapiWorkerRequest object, HttpRuntime will create a context (Context) object used to represent the current HTTP request: HttpContext.

I believe that everyone has a good understanding of the Session initialization process and the relationship between session and cookie. Let’s start with the Session sharing implementation plan.

Session sharing implementation plan

1.StateServer method


状态服务全称是“ASP.NET State Service ”(aspnet_state.exe)。它由Web.config文件中的stateConnectionString属性来配置。该属性指定了服务所在的服务器,以及要监视的端口。

<sessionState mode="StateServer"      stateConnectionString="tcpip="     cookieless="false" timeout="20" />


 显然,使用状态服务的优点在于进程隔离,并可在多站点中共享。 使用这种模式,会话状态的存储将不依赖于iis进程的失败或者重启,然而,一旦状态服务中止,所有会话数据都会丢失(这个问题redis不会存在,重新了数据不会丢失)。


reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\aspnet_state\Parameters" /v "AllowRemoteConnection" /t REG_DWORD  /d 1 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\aspnet_state\Parameters" /v "Port" /t REG_DWORD  /d 42424 /f

net stop aspnet_state
net start aspnet_state


Introduction to the method of realizing session sharing in redis


public override void Init()

      foreach (string moduleName in this.Modules)
           string appName = "APPNAME";
           IHttpModule module = this.Modules[moduleName];
           SessionStateModule ssm = module as SessionStateModule;
           if (ssm != null)
                FieldInfo storeInfo = typeof(SessionStateModule).GetField("_store", BindingFlags.Instance | BindingFlags.NonPublic);
                FieldInfo configMode = typeof(SessionStateModule).GetField("s_configMode", BindingFlags.Instance | BindingFlags.NonPublic | BindingFlags.Static);

                SessionStateMode mode = (SessionStateMode)configMode.GetValue(ssm);
                if (mode == SessionStateMode.StateServer)
                    SessionStateStoreProviderBase store = (SessionStateStoreProviderBase)storeInfo.GetValue(ssm);
                    if (store == null)//In IIS7 Integrated mode, module.Init() is called later
                        FieldInfo runtimeInfo = typeof(HttpRuntime).GetField("_theRuntime", BindingFlags.Static | BindingFlags.NonPublic);
                        HttpRuntime theRuntime = (HttpRuntime)runtimeInfo.GetValue(null);
                        FieldInfo appNameInfo = typeof(HttpRuntime).GetField("_appDomainAppId", BindingFlags.Instance | BindingFlags.NonPublic);
                        appNameInfo.SetValue(theRuntime, appName);
                       Type storeType = store.GetType();
                       if (storeType.Name.Equals("OutOfProcSessionStateStore"))
                           FieldInfo uribaseInfo = storeType.GetField("s_uribase", BindingFlags.Static | BindingFlags.NonPublic);
                           uribaseInfo.SetValue(storeType, appName);
                           object obj = null;



using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.SessionState;
using ServiceStack.Redis;
using Com.Redis;

namespace ResidSessionDemo.RedisDemo
    public class RedisSession
        private HttpContext context;

        public RedisSession(HttpContext context, bool IsReadOnly, int Timeout)
            this.context = context;
            this.IsReadOnly = IsReadOnly;
            this.Timeout = Timeout;
            RedisBase.Hash_SetExpire(SessionID, DateTime.Now.AddMinutes(Timeout));

        /// <summary>
        /// SessionId标识符
        /// </summary>
        public static string SessionName = "Redis_SessionId";

        // 摘要:
        //     获取会话状态集合中的项数。
        // 返回结果:
        //     集合中的项数。
        public int Count
                return RedisBase.Hash_GetCount(SessionID);

        // 摘要:
        //     获取一个值,该值指示会话是否为只读。
        // 返回结果:
        //     如果会话为只读,则为 true;否则为 false。
        public bool IsReadOnly { get; set; }

        // 摘要:
        //     获取会话的唯一标识符。
        // 返回结果:
        //     唯一会话标识符。
        public string SessionID
                return GetSessionID();

        // 摘要:
        //     获取并设置在会话状态提供程序终止会话之前各请求之间所允许的时间(以分钟为单位)。
        // 返回结果:
        //     超时期限(以分钟为单位)。
        public int Timeout { get; set; }

        /// <summary>
        /// 获取SessionID
        /// </summary>
        /// <param name="key">SessionId标识符</param>
        /// <returns>HttpCookie值</returns>
        private string GetSessionID()
            HttpCookie cookie = context.Request.Cookies.Get(SessionName);
            if (cookie == null || string.IsNullOrEmpty(cookie.Value))
                string newSessionID = Guid.NewGuid().ToString();
                HttpCookie newCookie = new HttpCookie(SessionName, newSessionID);
                newCookie.HttpOnly = IsReadOnly;
                newCookie.Expires = DateTime.Now.AddMinutes(Timeout);
                return "Session_"+newSessionID;
                return "Session_"+cookie.Value;

        // 摘要:
        //     按名称获取或设置会话值。
        // 参数:
        //   name:
        //     会话值的键名。
        // 返回结果:
        //     具有指定名称的会话状态值;如果该项不存在,则为 null。
        public object this[string name]
                return RedisBase.Hash_Get<object>(SessionID, name);
                RedisBase.Hash_Set<object>(SessionID, name, value);

        // 摘要:
        //     判断会话中是否存在指定key
        // 参数:
        //   name:
        //     键值
        public bool IsExistKey(string name)
            return RedisBase.Hash_Exist<object>(SessionID, name);

        // 摘要:
        //     向会话状态集合添加一个新项。
        // 参数:
        //   name:
        //     要添加到会话状态集合的项的名称。
        //   value:
        //     要添加到会话状态集合的项的值。
        public void Add(string name, object value)
            RedisBase.Hash_Set<object>(SessionID, name, value);
        // 摘要:
        //     从会话状态集合中移除所有的键和值。
        public void Clear()

        // 摘要:
        //     删除会话状态集合中的项。
        // 参数:
        //   name:
        //     要从会话状态集合中删除的项的名称。
        public void Remove(string name)
        // 摘要:
        //     从会话状态集合中移除所有的键和值。
        public void RemoveAll()

下面是实现类似在cs文件中能直接使用Session["UserId"]的方式,我的MyPage类继承Page实现了自己的逻辑主要做了两件事  1:初始化RedisSession  2:实现统一登录认证,OnPreInit方法里面判断用户是否登录,如果没有登录了则跳转到登陆界面

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;

namespace ResidSessionDemo.RedisDemo
    /// <summary>
    /// 自定义Page 实现以下功能
    /// 1.初始化RedisSession
    /// 2.实现页面登录验证,继承此类,则可以实现所有页面的登录验证
    /// </summary>
    public class MyPage:Page
        private RedisSession redisSession;

        /// <summary>
        /// RedisSession
        /// </summary>
        public RedisSession RedisSession
                if (redisSession == null)
                    redisSession = new RedisSession(Context, true, 20);
                return redisSession;

        protected override void OnPreInit(EventArgs e)
            if (!RedisSession.IsExistKey("UserCode"))




1、redis服务器重启不会丢失数据  2.可以使用redis的读写分离个集群功能更加高效读写数据  

测试效果,使用nginx和iis部署两个站点做负载均衡,iis1地址127.0.0.1:8002 iis2地址127.0.0.1:9000  nginx代理服务地址127.0.0.1:8003,不懂如何配置的可以去阅读我的nginx+iis实现负载均衡这篇文章。我们来看一下测试结果。

访问127.0.0.1:8003 需要进行登录   用户名为admin  密码为123

Introduction to the method of realizing session sharing in redis


Introduction to the method of realizing session sharing in redis


Introduction to the method of realizing session sharing in redis

可以尝试直接访问iis1地址127.0.0.1:8002 iis2地址127.0.0.1:9000 这两个站点,你会发现都不需要登录了。至此我们的redis实现session功能算是大功告成了。




Introduction to the method of realizing session sharing in redis



To put it simply: For example, the above access_token interface has a frequency of 2000 times a day, that is, 1 time/minute. The capacity of our token bucket is 2000, which can be stored using the simplest key/value of redis. The key is the user ID, and the value is the number of times the integer storage can be used. Then use a timer to call client.Incr(key) for 1 minute to achieve the number of times. Auto-increment; every time a user accesses this interface, the corresponding client.Decr(key) is used to reduce the number of uses.

But there is a performance problem here. This is only for one user. Assume there are 100,000 users. How to use a timer to implement this self-increment operation? Is it necessary to loop 100,000 times and call the client separately? .Incr(key)? This was not thought through clearly.

2. First judge the total number of direct user visits, and then perform an auto-increment if the conditions are met

Introduction to the method of realizing session sharing in redis

