I have an ASP.NET c# web application published to a server of ours. It consists of three pages, each with a form on them, sort of like a 3-page login. After the third page’s form is validated, it sends the user to a different site. Here’s a little diagram so I can explain it better:
NamePage —> DateOfBirthPage —> IDNumberPage —> OtherSite
This has been working great in all of our development tests and stress tests. However, after we put it into production, occasionally when the “Next” button on the IDNumberPage is clicked, the user sees “This page cannot be displayed” with a “diagnose connection problems” button. When this occurs for one user, the same problem occurs for all users (meaning once it happens, nobody can fully authenticate). NamePage and DateOfBirthPage always work, and when the crash occurs, the IDNumberPage link doesn’t change, suggesting that the crash is occurring on this side of the application, not after it redirects to OtherSite. I have friendly HTTP errors turned off but it’s not showing any errors on the page. If we go into the server and restart the application, it works again.
The frustrating part is that we can’t replicate this error to see how/why it’s occurring.
Some things that are noteworthy:
- Each page uses one query on a MS SQL server database
- Each page passes up to 4 Session variables (only small Strings containing what was entered into the textbox form on the previous page(s))
- The session is abandoned when the final “next” button is clicked.
- All resultsets/connections/commands are closed before redirect.
- Redirects use the overloaded version using
Response.Redirect(siteName, false)
Sorry if all of this is very vague, but the problem itself has done an oddly good job of hiding from us. We have tried hammering the server with test requests (many at once, many over a period of time, etc) and different combinations of logging in/trying to break the page in general, to no avail. Can anyone suggest some things to try to diagnose/fix/replicate this problem?
Edit: The click function on IDNumberPage’s code-behind that is causing the problem:
{ SqlConnection dbconn = new SqlConnection(Application["dbconn"].ToString());
SqlCommand sqlValidate = dbconn.CreateCommand();
dbconn.Open();
sqlValidate.CommandText = "SELECT lastName, csn FROM Demographics WHERE lastName = '" + Session["lastName"].ToString() + "' " +
"AND dob = '" + Session["dobCheck"].ToString() + "' AND mrn = " + strMRN;
SqlDataReader results = sqlValidate.ExecuteReader();
if (results.HasRows)
{
string csn = "";
while (results.Read())
{
if (!String.IsNullOrEmpty(results["csn"].ToString()))
{
csn = results["csn"].ToString();
break;
}
}
string url = Application["surveyUrlString"] + "&lastname=" + Session["lastName"].ToString() + "&mrn=" + strMRN + "&dobday=" + Session["dobday"].ToString()
+ "&dobmonth=" + Session["dobmonth"].ToString() + "&dobyear=" + Session["dobyear"].ToString() + "&csn=" + csn;
results.Close();
dbconn.Close();
Response.Redirect(url, false);
}
The problem is due to leaking sql connections.
You aren’t properly disposing of your resources. Over time these are going to stack up in the connection pool until you reach a point where the pool overflows and your app dies. Resetting will obviously fix the issue.
Also this issue might not show up in “stress” tests depending on how, exactly you are testing the application.
The solution is to reformat that code to handle your database call better.
notice that you aren’t redirecting until after everything is cleaned up.
SqlConnection,SqlCommandandSqlDataReaderall implementIDisposable. You have to properly clean up after use otherwise the resources will be left hanging. The “best” way of doing this is to wrap them in a using clause. This ensures they are properly removed once the code block is exited as they aren’t garbage collected like other objects.Also note that the above code has a good side benefit. Namely, in case of error it STILL cleans up after you. Whereas the original code that was posted would clearly leak in the event the DB server didn’t respond or threw some type of error when running the query.
The query could error out depending on the values contained in dboCheck, lastname and mrn parameters. For example, what if “BOB” was passed in for the dobCheck field, or Nothing was passed in for mrn… If dob is a datetime field in your database then the query will throw an error that will result in a leaked connection. Do that enough times and your site is down.
Upon further review, I’m guessing that’s probably what is happening: people are putting in garbage data that your app is allowing to get to this point and the query is failing. Most likely this isn’t something that you’ve handled in your test cases.
Side note: Please don’t create your sql statements by using concatentation. That is a complete security no no. At the very least, parameterize those queries.