33

How can I destroy a session (Session["Name"]) when the user clicks the logout button?

I'm looking through the ASP.NET API Reference on MSDN and it doesn't seem to have much information. It seems rather limited. But I cannot find any other pages for ASP.NET Classes etc.

I have tried:

Session.Abandon(); and Session.Contents.Remove("Name"); neither of them work. ( I found these in a forum from a Google search)

dove
  • 20,469
  • 14
  • 82
  • 108
  • What do you mean by "neither of them work" – Bob Mar 16 '11 at 18:55
  • Um... When I output the contents of the session["Name"] it still outputs the name, but it shouldn't because it should've been cleared or killed. And it doesn't Sign me out. So, that's what I mean by "Neither of them work" –  Mar 16 '11 at 19:06
  • Try adding a redirect back to the login page, check for the Session["Name"] in there. – Bob Mar 16 '11 at 19:10
  • The Abaondon Method works all you need to do is take of the postbackurl from the html script and add a redirect after Session.Abandon(). –  Feb 11 '12 at 13:01
  • May be [this link](http://www.dotnetspark.com/tutorial/3-44-kill-session.aspx) might help you. – shruti Mar 17 '11 at 05:37
  • Use Session["YourItem"] = ""; – orf Feb 01 '15 at 09:18

9 Answers9

63

The Abandon method should work (MSDN):

Session.Abandon();

If you want to remove a specific item from the session use (MSDN):

Session.Remove("YourItem");

EDIT: If you just want to clear a value you can do:

Session["YourItem"] = null;

If you want to clear all keys do:

Session.Clear();

If none of these are working for you then something fishy is going on. I would check to see where you are assigning the value and verify that it is not getting reassigned after you clear the value.

Simple check do:

Session["YourKey"] = "Test";  // creates the key
Session.Remove("YourKey");    // removes the key
bool gone = (Session["YourKey"] == null);   // tests that the remove worked
Kelsey
  • 47,246
  • 16
  • 124
  • 162
  • 1
    Thanks, @Kelsey; I just updated my question to show what I've already tried. The Abaondon Method doesn't work :S –  Mar 16 '11 at 18:54
  • @Lucifer are you trying to kill the `Session` from the current session or are you trying to do it from the application level and locate and kill a specific session? – Kelsey Mar 16 '11 at 18:56
  • Um, from the current session,? –  Mar 16 '11 at 19:00
  • @Lucifer something else is going on I suspect. I have editted my answer to include a little check and some other options. – Kelsey Mar 16 '11 at 19:08
  • Thanks @Kelsey, I'm not seeing any results from that check. –  Mar 16 '11 at 19:13
  • 1
    @Lucifer What result were you expecting? The value will be `null` after the `Remove`. Did you want something more to happen? – Kelsey Mar 16 '11 at 19:42
8

It is also a good idea to instruct the client browser to clear session id cookie value.

Session.Clear();
Session.Abandon();
Response.Cookies["ASP.NET_SessionId"].Value = string.Empty;
Response.Cookies["ASP.NET_SessionId"].Expires = DateTime.Now.AddMonths(-10);
NoWar
  • 36,338
  • 80
  • 323
  • 498
Bozhidar Grigorov
  • 131
  • 1
  • 4
  • is this really necessary ? Response.Cookies["ASP.NET_SessionId"].Value = string.empty ? or just with Session.Abandon() is enough ? – love2code Oct 03 '19 at 19:44
5

Session.Abandon()

This marks the session as Abandoned, but the session won't actually be Abandoned at that moment, the request has to complete first.

Bob
  • 97,670
  • 29
  • 122
  • 130
4

From what I tested:

Session.Abandon(); // Does nothing
Session.Clear();   // Removes the data contained in the session

Example:
001: Session["test"] = "test";
002: Session.Abandon();
003: Print(Session["test"]); // Outputs: "test"

Session.Abandon does only set a boolean flag in the session-object to true. The calling web-server may react to that or not, but there is NO immediate action caused by ASP. (I checked that myself with the .net-Reflector)

In fact, you can continue working with the old session, by hitting the browser's back button once, and continue browsing across the website normally.

So, to conclude this: Use Session.Clear() and save frustration.

Remark: I've tested this behaviour on the ASP.net development server. The actual IIS may behave differently.

Chuck
  • 1,110
  • 3
  • 15
  • 22
1
Session["YourItem"] = "";

Works great in .net razor web pages.

orf
  • 131
  • 1
  • 1
  • 3
    While this code sample may possibly answer the question, it would be preferable to include some essential explanation to your answer. As it stands now this answer adds little to no value for future readers. – oɔɯǝɹ Feb 01 '15 at 09:40
1

Session.Abandon(); did not work for me either.

The way I had to write it to get it to work was like this. Might work for you too.

HttpContext.Current.Session.Abandon();
Ian
  • 30,182
  • 19
  • 69
  • 107
kinthamen
  • 11
  • 1
1

Session.Abandon() this will destroy the data.

Note, this won't necessarily truly remove the session token from a user, and that same session token at a later point might get picked up and created as a new session with the same id because it's deemed to be fair game to be used.

Chris Marisic
  • 32,487
  • 24
  • 164
  • 258
  • Thanks @Chris, I've tried that, and it still outputs the contents of the session["Name"] and won't signout. –  Mar 16 '11 at 19:01
1

You kill a session like this:

Session.Abandon()

If, however, you just want to empty the session, use:

Session.Clear()
Chris Cashwell
  • 22,308
  • 13
  • 63
  • 94
  • If you're just trying to remove the 'Name', you can do `Session.Remove("Name");` or clear it using `Session["Name"] = null;` – Chris Cashwell Mar 16 '11 at 19:00
  • 1
    None of these are working. I've tried Session.Abandon(); Session.Contents.Remove("Name"); Session.Contents.RemoveAll(); Session.Clear(); Session["Name"] = null (which is originally what I did) - and none of them work. –  Mar 16 '11 at 19:03
1
Session.Abandon()

is what you should use. the thing is behind the scenes asp.net will destroy the session but immediately give the user a brand new session on the next page request. So if you're checking to see if the session is gone right after calling abandon it will look like it didn't work.

Alan Barber
  • 983
  • 5
  • 15
  • Check the Remarks section on the MSDN doc for Session.Abandon -> http://msdn.microsoft.com/en-us/library/ms524310.aspx – Alan Barber Mar 16 '11 at 19:05
  • Thank you @AlanB - Then, how can I Sign out of my 'account' immediately after clicking the SignOut button?, if the session won't get deleted? –  Mar 16 '11 at 19:09
  • I guess it depends a bit on the code you're doing but the basic operation would be if you have "Logout" button on a page that in the code does a session.abandon() call then redirects to your homepage. the loading of the homepage should have a new session and thus not be "logged in" anymore. they will have a new session but all data associated with the old session is gone. – Alan Barber Mar 16 '11 at 19:13