6

I've done quite a bit of testing on this, and I'm thoroughly confused. It seems ASP.NET will generate an ASP.NET_SessionId cookie if the Session_Start method in the MvcApplication class is defined, even if I'm not using the Session variable anywhere. That seems odd, considering there doesn't have to be anything in the method's body.

Example (Global.asax.cs):

using System.Web.Mvc;
using System.Web.Optimization;
using System.Web.Routing;

namespace MyApplication
{
    public class MvcApplication : System.Web.HttpApplication
    {
        protected void Application_Start()
        {
            AreaRegistration.RegisterAllAreas();
            FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters);
            RouteConfig.RegisterRoutes(RouteTable.Routes);
            BundleConfig.RegisterBundles(BundleTable.Bundles);
        }

        private void Session_Start() { } // this is all it takes to generate a SessionId (?)
    }
}

Now, I'm confused for multiple reasons:

  1. How is the mere presence of the Session_Start function enough to generate a SessionId? I'm not utilizing the Session variable anywhere in the application, and the method is empty.

  2. The Session_Start method is private, and I'm obviously not calling it anywhere inside the class, so how does ASP.NET know when a session starts?

  3. How does anything outside of this class even know the Session_Start method exists, and to check for a SessionId cookie? It isn't a partial class, and it's explicitly marked private.

I know these reasons sort of blend into one another, but I'm really at a loss as to how this works.

johnnyRose
  • 7,310
  • 17
  • 40
  • 61
  • Does this help? http://stackoverflow.com/questions/25445912/how-session-start-in-global-asax-works-mvc – garfbradaz Jul 23 '15 at 19:31
  • or https://msdn.microsoft.com/en-us/library/ms178473.aspx – garfbradaz Jul 23 '15 at 19:31
  • I don't always put `Session_Start` in my Application class, and I still get SessionID's. I think the answer you seek is elsewhere. – mason Jul 23 '15 at 19:32
  • @mason - I only get SessionIds when I define that method. If I comment it out, I no longer get a SessionId cookie, so it's definitely `Session_Start`. – johnnyRose Jul 23 '15 at 19:42
  • @johnnyRose What if you comment that out, but use the Session object on some web form or controller? – mason Jul 23 '15 at 20:21
  • @mason - I assume it would still generate a SessionId. I edited my question to be slightly clearer, since that was really never my question to begin with. – johnnyRose Jul 23 '15 at 20:29
  • @johnnyRose My point was that it appears the framework intelligently adds the SessionID if it's needed. Even though Session_Start may be marked as private, the framework could be using reflection to check for its presence. If you really want to know the answer, I suggest you search the [ASP.NET source code](http://referencesource.microsoft.com/#System.Web/). If i had to venture a guess, the answer is somewhere within the `System.Web.SessionState` namespace. Probably try to figure out what calls [CreateSessionID](http://referencesource.microsoft.com/System.Web/R/e870575572388e1c.html). – mason Jul 23 '15 at 20:33
  • It's a lot easier to know whether a `Session_Start` exists or not than it is to know whether it does anything or not. – Jon Hanna Jul 24 '15 at 10:23

1 Answers1

7

Session_Start is like an event handler for the application. When a new session is created, this method is called by the application. It does not create Session IDs, it is meant as a way for the developer to know when a user visits the site for the first time (that session). This can be used to run some initialization routines or tracking purposes (e.g., we had x number of unique sessions today).

What triggers the creation of the Session and SessionID is a user visiting a page that has session enabled-- ASP.NET will create the Session behind the scenes. The answer to this question has two ways of enabling session state for pages: Session state can only be used when enableSessionState is set to true either in a configuration

In summary:

in web.config, for all pages: 

<system.web>
      <pages enableSessionState="true" /> 
 </system.web>

in your page.aspx, on a per-page basis (set it to false to turn it off on a per-page basis):

<%@Page enableSessionState="true">

Your web.config should also configure the SessionState mode. This is an example of using the server's memory to store session state:

<sessionState cookieless="false" mode="InProc" timeout="20" />
Community
  • 1
  • 1
ps2goat
  • 8,067
  • 1
  • 35
  • 68
  • Thank you for your (very good) answer. I know the `Session_Start` method doesn't actually create the SessionIds, but I guess I'm still confused as to how the mere presence of the private method tells ASP.NET to generate those Ids. Does that make sense? – johnnyRose Jul 23 '15 at 21:27
  • It doesn't. What happens if you remove that method? I don't believe any of the Application Events have to be implemented. – ps2goat Jul 23 '15 at 21:37
  • I'm not using the session variable anywhere else in my application, so when I remove it, SessionIds are no longer created - which makes sense when you say it. I just don't understand *how*. – johnnyRose Jul 23 '15 at 21:40
  • hmm, so maybe that's simply another trigger. If you disable session state on all your pages, would the `Session_Start` method still be hit? In the example above, set `` in the web.config and see what happens. – ps2goat Jul 23 '15 at 21:52
  • Same behavior - a SessionId cookie is created when `Session_Start` is defined. – johnnyRose Jul 23 '15 at 21:55