In ASP.NET, when should I use Session.Clear() rather than Session.Abandon()?

Question

Both Session.Clear() and Session.Abandon() get rid of session variables. As I understand it, Abandon() ends the current session, and causes a new session to be created thus causing the End and Start events to fire.

It seems preferable to call Abandon() in most cases, such as logging a user out. Are there scenarios where I'd use Clear() instead? Is there much of a performance difference?

score 178 · Accepted Answer · edited Sep 26 '13 at 20:42

178

Session.Abandon() destroys the session and the Session_OnEnd event is triggered.

Session.Clear() just removes all values (content) from the Object. The session with the same key is still alive.

So, if you use Session.Abandon(), you lose that specific session and the user will get a new session key. You could use it for example when the user logs out.

Use Session.Clear(), if you want that the user remaining in the same session (if you don't want the user to relogin for example) and reset all the session specific data.

edited Sep 26 '13 at 20:42

Daniel

10,864
22
84
115

answered Dec 07 '08 at 08:25

splattne

102,760
52
202
249

1

I believe better to use RemoveAll() instead of Clear(), as "Darin Dimitrov" has suggested over here http://stackoverflow.com/a/3931344/713246 – Bibhu Jan 09 '13 at 09:12
6

@Bibhu: How did he suggest that RemoveAll() was better than Clear()? All I saw in his answer was that RemoveAll() calls Clear(), and seems to be functionally identical. – Adam Miller Apr 09 '14 at 21:12
1

Just used `Session.Abandon()` as a 'logout' on an internal app using Windows Authentication - users did not have to re-authenticate (Chrome, FF), but the session disposed and a new one issued, which met my requirements – brichins Nov 18 '14 at 01:00

score 14 · Answer 2 · edited Nov 23 '11 at 04:45

14

Only using Session.Clear() when a user logs out can pose a security hole. As the session is still valid as far as the Web Server is concerned. It is then a reasonably trivial matter to sniff, and grab the session Id, and hijack that session.

For this reason, when logging a user out it would be safer and more sensible to use Session.Abandon() so that the session is destroyed, and a new session created (even though the logout UI page would be part of the new session, the new session would not have any of the users details in it and hijacking the new session would be equivalent to having a fresh session, hence it would be mute).

edited Nov 23 '11 at 04:45

animuson

53,861
28
137
147

answered Oct 21 '11 at 13:12

shabbirh

675
1
5
13

4

What would be the point of hijacking an empty session? The hijacker would still have to log in, and their is no data to accidently provide to the new user. – Trisped Jul 09 '12 at 23:10
I think that's the point. It's only empty if abandon is called. Otherwise, there could be data in the hijacked session (even though its been logged out.) – James Hurley Jul 25 '23 at 16:00

score 3 · Answer 3 · edited May 15 '12 at 17:12

3

Session.Abandon destroys the session as stated above so you should use this when logging someone out. I think a good use of Session.Clear would be for a shopping basket on an ecommerce website. That way the basket gets cleared without logging out the user.

edited May 15 '12 at 17:12

John Fisher

22,355
2
39
64

answered May 15 '12 at 10:14

Kasim Shafiq

31
1

But what if I use `Session.Abandon` to just clear a specific shopping basket? – WTFZane Feb 15 '17 at 01:05

score 0 · Answer 4 · answered Dec 07 '08 at 14:34

I had this issue and tried both, but had to settle for removing crap like "pageEditState", but not removing user info lest I have to look it up again.

public static void RemoveEverythingButUserInfo()
{
    foreach (String o in HttpContext.Current.Session.Keys)
    {
        if (o != "UserInfoIDontWantToAskForAgain")
            keys.Add(o);
    }
}

In ASP.NET, when should I use Session.Clear() rather than Session.Abandon()?

4 Answers4

Linked