7

I'm little-bit confused about session management in MVC4.

Lets say, I entered username and password and clicked on Login button. Then on server side, I got SessionId from HttpContext.Current.Session. And then I am validating that user credentials against database. If user is valid, then Adding SessionId, userName and uiserId in Session.

Lets say, next time request is came from same machine and same browser, I got same SessionId and then allowing that user to access other information.

Now I have following questions:

  1. How server come to know that request is came from same browser and from same machine?
  2. I found that, SessionId is different for different browser but it is same for same browser on different machine, so If I logged in from machine1 and with google chrome, then is it possible to use same session for different browser?(means session will be available for different machine with same browser. Is it possible?)
  3. How server understand that request is for same user, who is logged in?
  4. In asp.net session is maintained by viewState, but view state is not used in MVC, then what is used in MVC?
Alex Kulinkovich
  • 4,408
  • 15
  • 46
  • 50
Ashok
  • 197
  • 3
  • 17
  • I will try to answer your specific question when I find more time but I think this URL will help you clear some doubts. https://gregorybeamer.wordpress.com/2012/11/04/session-and-cookies-in-asp-net-mvc-oh-my/ – SBirthare Dec 02 '14 at 08:29
  • Ok, thanks I will go through this URL – Ashok Dec 02 '14 at 08:43
  • Session is never "maintained" by ViewState, they are entirely separate mechanisms. ViewState is stored in a hidden field in the page, session data is never sent to the browser. – Hans Kesting Dec 02 '14 at 09:49

1 Answers1

6

First I suggest to read this Wikipedia article about HTTP sessions. The answers on your question:

  1. With every request the client sends its SessionId in either a cookie or the query string.
  2. This should not be possible by default. But it can be done by session hijacking.
  3. The server reads the SessionId which was sent by the client in question 1. The server maintains for example a key value data object so it can load the right data for the given SessionId.
  4. ASP MVC doesn't use a viewstate since it's a completely different approach than ASP.NET. See this question for more information.
Community
  • 1
  • 1
Marthijn
  • 3,292
  • 2
  • 31
  • 48
  • Thanks for your reply. I understood what you want to say. Please check following comments- So it means I dont need to do anything extra to maintain user session. I will just add userName and its sessionId in HttpContext session. Server will take cookie value and will get its related session and userName and User info. Is it right? Also, we are getting same sessionId for same browser from different machines. But you are saying by session hijacking only this happen. So how this is happening? – Ashok Dec 02 '14 at 12:43
  • 1
    Yes, ASP MVC handles session out of the box, unless you change something in the configuration. If you want to authenticate users, take a look at forms authentication: http://msdn.microsoft.com/en-us/library/ff398049(v=vs.98).aspx What exactly do you mean by the same `SessionId`? That means the value in the cookie is the same on both machines. Could you verify this behavior in your application by putting something in the session on machine 1, and read it on machine 2? – Marthijn Dec 02 '14 at 13:00
  • Thanks for your reply. Ok, I will do that. SessionId means the sessionId received from browser – Ashok Dec 02 '14 at 13:20
  • Just to confirm, the value in the cookie named `ASP.NET_SessionId` is the same on both machines? Maybe this article helps: http://support.microsoft.com/kb/899918 – Marthijn Dec 02 '14 at 13:33
  • Can I get SessionId received from Server in javascript or jquery to check? In my application, "document.cookie;" this return empty. As here cookie is empty and Im not getting sessionId in url also, then how it works? – Ashok Dec 03 '14 at 07:07
  • You can view the cookies in your browser settings (something like privacy settings). `document.cookie` does not return all cookies, see this question: http://stackoverflow.com/questions/17508027/cant-access-cookies-from-document-cookie-in-js-but-browser-shows-cookies-exist – Marthijn Dec 03 '14 at 10:06