Excessive load on ASP.NET session state store

  • Description

    Implementation details

    Sitecore relies on the default implementation of the ASP.NET SessionStateModule for session state management.

    To avoid data collisions in the session store and unexpected session state behavior, the SessionStateModule and SessionStateStoreProviderBase classes include functionality that exclusively locks the session store item for a particular session during the execution of an ASP.NET page.

    If the SessionStateModule instance encounters locked session data during the call to either the GetItemExclusive or GetItem method, it re-requests the session data at half-second intervals until either the lock is released or the amount of time specified in the ExecutionTimeout property has elapsed.

    This behavior is fully described in Locking Session-Store Data MSDN article. The detailed information about the specific ASP.NET SessionStateModule behavior can be obtained by providing the 117091416336585 reference number to Microsoft Support.

    Excessive load nature

    Should multiple requests arrive with the same ASP.NET session identifier, each of them would try to obtain the exclusive lock for the session item even though only one can succeed at a time. Therefore, an excessive load is produced by multiple threads that are trying to simultaneously lock the same unit.

  • The following symptoms can be observed when the session state store is under heavy load:

    • A spontaneous spike in the number of concurrent requests sent to SessionStateStore. For example, a spike of 'GetItemExclusive' commands for MS SQL Session state provider.
    • SessionStateStore response time increases, or reaches DTU quota.
    • Various messages in the Sitecore log files shows database connectivity issues originating from SessionStateModule or SessionState classes. For example:
      Message: Timeout expired. The timeout period elapsed prior to obtaining a connection from the pool. This may have occurred because all pooled connections were in use and max pool size was reached.
      Source: System.Data
         at System.Data.ProviderBase.DbConnectionFactory.TryGetConnection(DbConnection owningConnection, TaskCompletionSource`1 retry, DbConnectionOptions userOptions, DbConnectionInternal oldConnection, DbConnectionInternal& connection)
         at System.Web.SessionState.SqlSessionStateStore.SqlStateConnection..ctor(SqlPartitionInfo sqlPartitionInfo, TimeSpan retryInterval)
      Message: Unable to connect to SQL Server session database.
      Source: System.Web
         at System.Web.SessionState.SqlSessionStateStore.ThrowSqlConnectionException(SqlConnection conn, Exception e)
         at System.Web.SessionState.SqlSessionStateStore.SqlStateConnection..ctor(SqlPartitionInfo sqlPartitionInfo, TimeSpan retryInterval)
         at System.Web.SessionState.SessionStateModule.GetSessionStateItem()
         at System.Web.SessionState.SessionStateModule.PollLockedSessionCallback(Object state)
    • Ensure that your firewall is configured to protect the application from DoS attacks. IIS has a Dynamic IP Address Restrictions module that provides a set of features to protect from DoS attacks.

    • Reduce the request executionTimeout property value in the web.config file to the default ASP.NET value (110 seconds). This property controls the allowed execution time for the request,  and the maximum exclusive lock duration for a request. A lower lock duration ensures that other requests can obtain the lock faster if the lock was not released previously.

    • Increase the default polling interval for locked sessions. Refer to Microsoft Support post for detailed information.

    • Increase the default polling interval for Sitecore Shared session state if Analytics tracking is enabled:

      1. Find the timeoutBetweenLockAttempts parameter in the Sitecore.Analytics.Tracking.config file.
      2. Increase the value to 200 ms.

      This increases the waiting time between attempts to lock contact in shared session state.

    • Throttle concurrent requests per session can be configured in the .NET 4.7 or higher framework version. You should set a lower value than the default value (50).

Applies to:

CMS 6+

November 09, 2017
November 09, 2017

Reference number:



  • Performance
  • ,
  • Scaling