Can a single user make more than one request at a time if the Session is in use?

I am not able to make more than one request at a time in while the session is active. Why does this limitation exist? Is there a way to work around it?

This issue can be demonstrated with a WebForms app with just 3 simple aspx pages (although the limitation still applies in mvc).

Create an 3.5 web application.

There should be just three pages:
NoWait.aspx, Wait.aspx, and SessionStart.aspx

NoWait.aspx has this single nugget added between the default div tags: <%=DateTime.Now.Ticks %>. The code-behind for this page is the default (empty).

Wait.aspx looks just like NoWait.aspx, but it has one line added to Page_Load in the code-behind: Thread.Sleep(3000); //wait 3 seconds

SessionStart.aspx also looks just like NoWait.aspx, but it has this single line in its code-behind: Session[“Whatever”] = “Anything”;

Open a browser and go to NoWait.aspx. It properly shows a number in the response, such as: “633937963004391610”. Keep refreshing and it keeps changing the number. Great so far! Create a new tab in the same browser and go to Wait.aspx. It sits for 3 seconds, then writes the number to the response. Great so far! No, try this: Go to Wait.aspx and while it’s spinning, quickly tab over to NoWait.aspx and refresh. Even while Wait.aspx is sleeping, NoWait.aspx WILL provide a response. Great so far. You can continue to refresh NoWait.aspx while Wait.aspx is spinning, and the server happily sends a response each time. This is the behavior I expect.

Now is where it gets weird.

In a 3rd tab, in the same browser, visit SessionStart.aspx. Next, tab over to Wait.aspx and refresh. While it’s spinning, tab over to NoWait.aspx and refresh. NoWait.aspx will NOT send a response until Wait.aspx is done running!

This proves that while a session is active, you can’t make concurrent requests with the same user. Requests are all queued up and served synchronously. I do not expect or understand this behavior. I have tested this on Visual Studio 2008’s built in web server, and also IIS 7 and IIS 7.5.

So I have a few questions:

1) Am I correct that there is indeed a limitation here, or is my test above invalid because I am doing something wrong?

2) Is there a way to work around this limitation? In my web app, certain things take a long time to execute, and I would like users to be able to do things in other tabs while they wait of a big request to complete. Can I somehow configure the session to allow “dirty reads”? This could prevent it from being locked during the request?

3) Why does this limitation exist? I would like to gain a good understanding of why this limitation is necessary. I think I’d be a better developer if I knew!


Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

Here is a link talking about session state and locking. It does perform and exclusive lock.

The easiest way around this is to make the long running tasks asynchronous. You can make the long running tasks run on a separate thread, or use and asynchronous delegate and return a response to the browser immediately. The client side page can send requests to the server to check and see if it is done (through ajax most likely), and when the server tells the client it’s finished, notify the user. That way although the server requests have to be handled one at a time by the server, it doesn’t look like that to the user.

This does have it’s own set of problems, and you’ll have to make sure that account for the HTTP context closing as that will dispose certain functionality in the session. One example you’ll probably have to account for is probably releasing a lock on the session, if that is actually occurring.

This isn’t too surprising that this could be a limitation. Each browser would have it’s own session, before the advent of ajax, post back requests were synchronous. Making the same session handle concurrent could get really ugly, and I can see how that wouldn’t be a priority for the IIS and ASP.NET teams to add in.

Method 2

For reasons Kevin described, users can’t access two pages that might write to their session state at the same time – the framework itself can’t exert fine-grained control over the locking of the session store, so it has to lock it for entire requests.

To work around this, pages that only read session data can declare that they do so. ASP.NET won’t obtain a session state write lock for them:

// Or false if it doesn't need access to session state at all

All methods was sourced from or, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Notify of

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x