I have such a requirement for my ASP.NET MVC app:
Session created before authentication should be closed and new session, with new ID, should be started
So it should work like this:
- User is redirected (GET request) to my app (some method in the controller) with auth info
- Closing old session, starting new one
- Auth, saving user data to the session
Let's look to the controller:
public ActionResult Login(string token) {
Session.Abandon(); // I want new session!
// Some auth stuff
Session["this"] = "x";
Session["that"] = "y";
return View();
}
On debugging, i can see session values "this" and "that" set to "x" and "y". But now let's go the view that this method uses:
@{
var @this = Session["this"]; // Wut? @this is null
var that = Session["that"]; // Wut? that is null
}
So, a little digging gave me the answer:
Abandon causes the End event to be raised. A new Start event will be raised on the next request. https://msdn.microsoft.com/en-us/library/system.web.sessionstate.httpsessionstate.abandon%28v=vs.110%29.aspx
It seems that lifecycle looks like this:
- "Session.Abandon()" - session marked to be closed
- Setting session values.
- "return View()"
- Session closed and (not sure about this) new session started
- View - session values set in controller are missing.
Completly unacceptable. How can I overcome this?
