The Null Reference Expection in SessionStateModule.PollLockedSessionCallbacks() is happening when the page is viewed and refreshed twice in Unhandled Exception.
1. Sql Server Session state
2. After applying windows update for .NET
4. Threading Issue
5. custom IIdentity object to authenticate users
6. Improper Serialization
1. use Inproc session state for debugging. Set the SQl state in web.config and machine.config to InProc
2. If the page is not using Session variable, Set the SessionState as OFF
3. Remove the Security Update for .NET Framework 2.0 (KB928365) from the machine
4. Instead of using the custom IIdentity object to track authenticated users change the code to use a static, thread-safe collection and pull authenticated users from this collection instead of the HttpContext.Current.User property.
5. Move any assignments to Context.User into Context.Session since impersonation could be done where needed rather than assigning it for the lifetime of execution.
6. Take the custom Security.Principal class out of the website project, and compile it as a Class library into a .DLL (assembly). Sign the .DLL with a Strong Name, and place it in the GAC. Adjust your code that references the custom Principal to call the code in its new location, if necessary
7. Add a Reference to the new assembly in your website project
8. If you use a WebSetup project to install your website, as I did, you can have it place the assembly into the server's GAC for you, during the installation.
9. Use the hot fix KB942086
It is available at http://support.microsoft.com/kb/942086
10. It applies to .NET Frame work 2.0