15

I'm writing some logging code that is based on SessionID...

However, when I log out (calling Session.Abandon), and log in once again, SessionID is still the same. Basically every browser on my PC has it's own session id "attached", and it won't change for some reason :/

Any ideas what is going on?

My Session config looks like this:

    <sessionState
       mode="InProc"
       timeout="1" />

Thanks, Paweł

dragonfly
  • 17,407
  • 30
  • 110
  • 219
  • Why did you want to remove the session id? It will help me a lot if you will answer my question here: http://stackoverflow.com/questions/37642982/why-not-to-reuse-asp-net-sessionid – Offir Jun 05 '16 at 14:42

5 Answers5

14

Check this article which explains the process on session.abandon

http://support.microsoft.com/kb/899918

Taken from above link -

"When you abandon a session, the session ID cookie is not removed from the browser of the user. Therefore, as soon as the session has been abandoned, any new requests to the same application will use the same session ID but will have a new session state instance"

Sachin Shanbhag
  • 54,530
  • 11
  • 89
  • 103
  • 13
    Yep. This is what you have to do in your Logout code: Session.Abandon(); Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", "")); And in Web.config do this: – Augis Jul 31 '13 at 15:15
  • What is the benefit of deleting the cookie? Please take a look at my question here: http://stackoverflow.com/questions/37642982/why-not-to-reuse-asp-net-sessionid – Offir Jun 06 '16 at 10:43
  • Check this solution may be help you: https://stackoverflow.com/a/51551957/3649347 – Tell Me How Jul 27 '18 at 06:32
5

This is a default behavior by design as stated here:

Session identifiers for abandoned or expired sessions are recycled by default. That is, if a request is made that includes the session identifier for an expired or abandoned session, a new session is started using the same session identifier. You can disable this by setting regenerateExpiredSessionId attribute of the sessionState configuration element to true

You can disable this setting as mentioned above.

EDIT: Setting regenerateExpiredSessionId attribute to true works only for cookieless sessions. To overcome your problem, you can consider to implement a custom class that inherits SessionIDManager class. You can get information about that here and here.

Zafer
  • 2,180
  • 16
  • 28
  • Thanks. Howewer http://msdn.microsoft.com/en-us/library/h6bb9cz9%28v=VS.90%29.aspx claims that regenerateExpiredSessionId default value is set to true. Anyway, I did it now, set regenerateExpiredSessionId="true", and SessionID is still the same. – dragonfly Sep 15 '10 at 09:38
  • yes - this should work but then documentation states that this applies only to cookie-less sessions. See remarks at http://msdn.microsoft.com/en-us/library/system.web.configuration.sessionstatesection.regenerateexpiredsessionid.aspx – VinayC Sep 15 '10 at 09:38
  • Oh dear :/ So... is there a way to regenerate SessionID using NOT cookie-less sessions, I'm confused. – dragonfly Sep 15 '10 at 09:43
  • Yes, that setting works for cookieless sessions where sessionid is passed in the url between browser requests. – Zafer Sep 15 '10 at 09:57
  • 1
    creating own SessionIdManager is unlikely to solve the issue as the most probably CreateSessionID will not be invoked by ASP.NET unless session cookie is cleared. – VinayC Sep 15 '10 at 10:20
3

This is an old post but if someone is still looking for answers, here is a complete and step-by-step solution on how to achieve a clean logout with a new session ID every time.

Please note this article applies to cookie-enabled (cookieless=false) sites only.

Step (1) Modify your web.config file & add "regenerateExpiredSessionID" flag as under - 

<sessionState mode="InProc" cookieless="false" regenerateExpiredSessionId="true" />

Step (2) Add the following code in your logout event - 

Session.Clear(); 
Session.Abandon();
Response.Cookies.Add(New HttpCookie("ASP.NET_SessionId", ""));
Response.redirect(to you login page);

Step (3) Add the following code in your login page's page_load event - 

if(!IsPostBack) 
{
    Session.Clear(); 
    Session.Abandon();
}

Step 2 and 3 serve one IMPORTANT purpose. This code makes sure a brand new Session ID is generated after you click the "Login" button. This prevents Weak Session Management (Session Fixation vulnerability) which will likely be spotted during a 3rd party Penetration Testing of your site.

Hope this helps.

AV2000
  • 459
  • 5
  • 5
2

Here's what worked for me, the only caveat is that this code need to be separated from your login routine. 

Response.Cookies("ASP.NET_SessionId").Expires = DateTime.Now.AddYears(-30)

It will not take effect until the page is finished loading. In my application I have a simple security routine, that forces a new ID, like this:

if session("UserID") = "" then 
    Response.Cookies("ASP.NET_SessionId").Expires = DateTime.Now.AddYears(-30)
    Response.Redirect("login.aspx")
end if
shitburg
  • 190
  • 1
  • 9
  • I used the below code, HttpContext.Current.Response.Cookies["ASP.NET_SessionId"].Expires = DateTime.Now.AddYears(-30). But if you have existing session values, please store them in memory and perform the above operation or else all the values in session will get wiped out. Also a important point to note is, as said by shitburg the new session ID gets generated upon reload only. – balaji palamadai Jun 05 '17 at 12:15
0

You may explicitly clear the session cookie. You should control the cookie name by configuration and use same name while clearing.

Edit: Clearing session cookie when session is abandoned will force ASP.NET to create new session & sessionid for next request. BTW, yet another way to clear the session cookie is to use SessionIDManager.RemoveSessionID method.

VinayC
  • 47,395
  • 5
  • 59
  • 72