22

Is it possible to generate a new ID for the session using ASP.NET?

I want it to change when someone logs in to my website just before I set their initial session variables.

John Saunders
  • 160,644
  • 26
  • 247
  • 397
Luke
  • 22,826
  • 31
  • 110
  • 193

5 Answers5

25

You can do this using the SessionIdManager class:

SessionIDManager manager = new SessionIDManager();

string newID = manager.CreateSessionID(Context);
bool redirected = false;
bool isAdded = false;
manager.SaveSessionID(Context, newID, out redirected, out isAdded);

[Code sample is from Anas Ghanem's article]

stuartd
  • 70,509
  • 14
  • 132
  • 163
  • Yes, with above code I get new sessionId every time but this causes other problem ie. it clears session variable every time page loads even when I have put above code in if (!IsPostBack){} – Arti Jul 07 '14 at 17:45
  • @user1650891 you should start a new question – stuartd Jul 07 '14 at 18:41
  • Here is the link to my question [link](http://stackoverflow.com/questions/24606885/session-saved-in-handler-cannot-be-accessed-in-aspx-file/) – Arti Jul 08 '14 at 03:44
  • 1
    "This method is not intended to be called from application code." https://msdn.microsoft.com/en-us/library/system.web.sessionstate.sessionidmanager.savesessionid(v=vs.110).aspx#Anchor_2 – Paul C Apr 08 '16 at 10:01
  • 1
    My `SessionID` is not updating. `Context.Session.SessionID` displays the same values. – Ali Umair Jun 14 '16 at 11:40
5

you can use

SessionIDManager.CreateSessionID Method : returns a unique session identifier that is a randomly generated number encoded into a 24-character string.

Code 

SessionIDManager Manager = new SessionIDManager(); 
string NewID = Manager.CreateSessionID(Context); 
string OldID = Context.Session.SessionID;
bool redirected = false;
bool IsAdded = false;
Manager.SaveSessionID(Context, NewID,out redirected, out IsAdded);

Here you can find full detail about hsi : Changing the session ID programmatically.

Pranay Rana
  • 175,020
  • 35
  • 237
  • 263
4

yes it is possible to generate new ID for the session. below is one example

SessionState.SessionIDManager Manager = new SessionState.SessionIDManager(); 
string NewID = Manager.CreateSessionID(Context); 
string OldID = Context.Session.SessionID; 

bool IsAdded = false; 
Manager.SaveSessionID(Context, NewID, false, IsAdded); 

Response.Write("Old SessionId Is : " + OldID); 
if (IsAdded) { 
    Response.Write("<br/> New Session ID Is : " + NewID); 
} 
else { 
    Response.Write("<br/> Session Id did not saved : "); 
}
user1102001
  • 689
  • 2
  • 10
  • 21
3

The ASP.Net session management infrastructure does not expose a supported way to change your session id during the handling of a request. If writing supported code is important to you, there are several things to be aware of with the accepted answer.

  • Both CreateSessionID and SaveSessionID are marked "This method is not intended to be called from application code".
  • The SessionID provider is a pluggable type (see e.g. Implementing a custom SessionIDManager), so at the very least you would need to instantiate the correct type.
  • The session state attached to the HttpContext will remain associated with the initial session id, so anything you put in the session state bag will appear to be lost. Since there isn't anything you can do with the session once you've changed your id, it's kind of pointless to change your id this way.

Unfortunately, there isn't a supported way to do this without a round-trip. What you need to do is to wipe the session state cookie when you generate the login form. When the user submits the form back, the framework will call into the SessionIDManager to generate a new one. Wiping the session cookie correctly is slightly more complicated than most of the code samples show. The cookie name is another parameter configurable in the web.config. You need to read it from the configuration by accessing the property:

((System.Web.Configuration.SessionStateSection)ConfigurationManager.GetSection("system.web/sessionState")).CookieName

The session id cookie is not scoped to the application, so if there are two applications installed on the same server it's often desirable to have them use different cookie names, so this is required more commonly than you might think.

bmm6o
  • 6,187
  • 3
  • 28
  • 55
2

I assume this is security related? Will a Session.Clear() or Session.Abandon() work for you? This is a good SO link related to those methods.

Otherwise, it is difficult because the ASP.NET session cookie is already on the user's browser. You might not have confidence that the session was truly changed.

Community
  • 1
  • 1
Davin Tryon
  • 66,517
  • 15
  • 143
  • 132