7

On login I want to generate a new SessionId. I have found one solution that works, but it requires some pretty hackish things and requires the app have Full Trust securityPolicy setting.

Is there any other way to achieve this?

Community
  • 1
  • 1
Jarrod Everett
  • 761
  • 2
  • 7
  • 15
  • The framework is not really setup with hooks for this - that's why the solution you found is "hackish". – Oded Aug 27 '12 at 19:54
  • 2
    Why don't you want to use the Session Id that was generated when the session was initialized? (ie. What problem are you trying to solve?) – Brian Dishaw Aug 27 '12 at 19:56
  • The issue where a new sessionId cookie was created on logout, time goes by, then the next user who logs in on that browser will always use that sessionId, which is a security hole if someone wrote down the sessionId in the interim – Jarrod Everett Aug 27 '12 at 20:01

2 Answers2

8

Looks like this works:

Session.Abandon();
Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));

By clearing out that cookie, a new session with a new session ID will be created at the server.

(Reference: Microsoft Support)

EDIT: Here's an example using AJAX (with jQuery) to call the server code without a page refresh - it calls twice, once to remove the first session, and once to generate a new one. There may be a better way, but this does work.

function newSession() {
    jQuery.ajax({
        type: "POST",
        url: "WebForm1.aspx/ClearSession",
        data: "{}",
        dataType: "json",
        contentType: "application/json; charset=utf-8",
        success: function () {
            jQuery.ajax({
                type: "POST",
                url: "WebForm1.aspx/NewSession",
                data: "{}",
                dataType: "json",
                contentType: "application/json; charset=utf-8",
                success: function () { console.log("Success!"); },
                error: function (x, y, z) {
                    console.log("Failure!");
                }
            });
        },
        error: function (x, y, z) {
            console.log("Failure!");
        }
    });
}

And on the code-behind (for WebForms - you could also do this with an MVC controller):

[WebMethod]
public static void ClearSession()
{
    HttpContext.Current.Session.Abandon();
    HttpContext.Current.Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));
}

[WebMethod]
public static void NewSession()
{
    HttpContext.Current.Session["x"] = 123;
}
Joe Enos
  • 39,478
  • 11
  • 80
  • 136
  • That works, but will require a redirect or something to allow the cookie to be sent to the client, and then the client make another server request with the empty id. I can't think of a way to do this and without hurting user experience with a random page refresh – Jarrod Everett Aug 27 '12 at 21:30
  • You can do this with AJAX to prevent the multi-refresh, assuming you require javascript to be turned on. See my edit for a sample. – Joe Enos Aug 28 '12 at 16:11
  • Warning: this does not protect against session fixation what is probably the reason why the OP wants to generate a new ID. – MichaelD Jun 01 '15 at 12:54
0

I'm currently considering a configuration-based solution, rather than a code-based one. I would configure either the web server or load balancer to strip away request and response headers containing cookies for just the login page. Remove the "cookie" headers for request headers and "set-cookie" for response headers.

Every request (GET or POST) to the login page will contain no cookie information, thus forcing ASP.NET to create a new session and (more importantly) a new session id.

It's less efficient than forcing a new session creation on login, but the technique could be useful in cases where you cannot modify the code.

Larry Silverman
  • 1,043
  • 1
  • 11
  • 30