sessionId is reused after calling session.abandon

A

Andy Fish

Hi,

I have an asp.net application that is using Forms Authentication and
maintaining http session state using cookies in the normal way.

when the user clicks the logout button I do this:

Session.Clear();
Session.Abandon();
FormsAuthentication.SignOut();
Response.Redirect("Default.aspx")

This in turn causes Forms Authentication to redirect them to the login page.
AFAIK this is standard practice.

However, If the user immediately logs back in again from the same browser
window they get the same SessionId. how so?

I thought Session Ids were supposed to be unique? Has the session ID been
re-used again already or was is not cleared?

TIA for any thoughts.

Andy
 
W

William F. Robertson, Jr.

I believe the SessionID is set up on the first connection between the
IExplorer process and the remote server. The same ID is used because the
Session is technically the same session.

However the Session memory has been removed and the Session Start method
will be called in your global.cs.

bill
 
A

Andy Fish

hmm,

I'm using Session_End (in global.asax) to clear up stuff relating to the
session, and some of it uses the session id to identify the session.

In this case, is it possible that my Session_End function could be called
when there is another session in use with the same id? - that would really
screw up my tidy up processing.

Andy
 
W

William F. Robertson, Jr.

This is speculation, but I feel pretty confident about it.

I make a request.
SessionID: 77

The application begins processing my request, sees there is no Session data
for SessionID: 77. Calls Session_Start.

I go through the site and logout.
SessionID 77 is removed from Session data.
Session_End removes SessionID 77 from the collection.

I make another request.
SessionID: 77

The application begins processing my request. Since I removed SessionID:
77, the application calls Session_Start.

Regarding your question: I am not sure exactly how you are doing this, but
if you are concerned about it, you probably should generate your own
Session_Instance_ID, and pass this item through each request.

bill
 
A

Andy Fish

Thanks bill,

After a bit of investigation, It seems to me that Session_End is called
immediately after I call Session.Abandon, so I guess I am safe

Andy
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

session.abandon doesn't! 2
ASP.Net [2.0] - SessionID 7
Session abandon. New page loaded but not new SessionID 3
Recyling of sessionID in ASP.NET 2.0 6
Form authenticatton 0
Forms Authentication Problem: Session expired, pages can still be visited. 1
Login of different user after Logout 0
Calling FormsAuthentication.SignOut() after calling Response.Flush 1

Members online

Total: 67 (members: 3, guests: 64)
Robots: 526

Forum statistics

Threads
473,994
Messages
2,570,222
Members
46,810
Latest member
Kassie0918

Latest Threads

Top