Solved

Can I Reset SessionID

Posted on 2004-09-09
25
2,665 Views
Last Modified: 2008-01-09
Hey i was just wondering if there was any way at all that i can reset the session ID of a session without having the browser close.  ive tried session.abandon and session.clear but nothing works.  see the way i manage the traffic on my site is with the sessionid and when a session times out id like to issue the user with another session ID

Can i do it?
0
Comment
Question by:Quintin79
  • 12
  • 10
  • 3
25 Comments
 
LVL 8

Expert Comment

by:daffodils
ID: 12022709
Actually Session.Abandon works.. it kills the current session..
But to update SessionID, you would need to do something that can be taken as a new Request.. that is when a new Session ID will be generated and assigned to the Session. Since you are not closing the browser, you would need to do something, like a button click postback, to start a new Session.

Try this simple example.. place a Label and a Button on a web form.. now in your code behind, copy my code.

private void Page_Load(object sender, System.EventArgs e)
{
   if(!IsPostBack)
   {
       Label1.Text = "Old Session: " + Session.SessionID.ToString();
       Session.Abandon();
    }
}

private void Button1_Click(object sender, System.EventArgs e)
{
    Label1.Text += "New Session: " + Session.SessionID.ToString();
}

On Page Load, you would see a Session ID and after you click on the button, you would see a new Session ID.
0
 
LVL 1

Author Comment

by:Quintin79
ID: 12022729
Hi thanks for the prompt reply but i dont really speak C altho i can follow it.

what i was doing with my abandon command was when the logout.aspx page loads i was calling session.abandon() to clear all member credentials and then creating some new session variables for the guest account.  this worked but didnt assign a new sessino id.  what steps would i need to add in here to get a new id?

thanks
0
 
LVL 8

Expert Comment

by:daffodils
ID: 12022812
Oh.. well I don't speak VB very well :))

Okay so, how do you logout..
Do you have a logout button on a page (other than logout.aspx) that allows a user to logout?
In that case.. call Session.Abandon() in the Click event of the Logout button, just before you call the "logout.aspx".
Now when the logout.aspx loads, a new Session ID will be created.
0
 
LVL 1

Author Comment

by:Quintin79
ID: 12022841
well theres no button that does it, its just a link to the logout page and that page does all the work.  would it work if i just response.redirected back to that page again ?
0
 
LVL 8

Expert Comment

by:daffodils
ID: 12022892
I tested that.. it doesn't work. The deal is to fool the application into thinking that this is a new page request.
Hmm.. give  a minute.. let me try.
0
 
LVL 8

Expert Comment

by:daffodils
ID: 12023039
wo.. I tried all sorts of combinations with Button, LinkButton and even <a href> (with runat=server), redirections back to the same page, new page etc etc etc.. but it doesn't seem to work.

The only workaround I see is that.. on logout.aspx load (this is not VB), abandon the session and then use a "Confirm Logout" button to generate a new Session ID.

...Page Load Function..
If Not PostBack
  Session.Abandon()
  Label1.Text = Session.SessionID
end if

...Confirm Logout button click Function..
Label2.Text = Session.SessionID

The reason this works is because there is a "genuine" new user request, all the window.opens, Response.Redirects, Server.Transfers execute FROM the code running on the server, it doesn't come as a browser request. And so they get the same Session ID, while a new request gets assigned a "shiny new" Session ID.
0
 
LVL 20

Accepted Solution

by:
ihenry earned 50 total points
ID: 12023076

I don't believe you can change SessionID in one browser session. The correct behaviour is the SessionID remains the same as long as the browser session, even if after the session times out or abandoned.
0
 
LVL 8

Assisted Solution

by:daffodils
daffodils earned 75 total points
ID: 12023082
chuck that.. it doesn't work!!!
0
 
LVL 1

Author Comment

by:Quintin79
ID: 12023088
iHenry are you definately right ? i thought this might have been the case but wasnt sure.

Daffodils thanks for the efforts though
0
 
LVL 20

Expert Comment

by:ihenry
ID: 12023089

:o)
Take out the Session_Start event from global.asax then you can see the SessionID keeps changing on every request. But I don't think this is what you want.
0
 
LVL 8

Expert Comment

by:daffodils
ID: 12023159
iHenry.. am not so sure about that though.. Check my first reply, that example works!
what I have not been able to figure out is.. why does that example work ??
and why doesn't it work, when the same page is called from another page??
0
 
LVL 20

Expert Comment

by:ihenry
ID: 12023253
hi daffodils

I tried your example, it doesn't work. It's showing the same SessionID on every request.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 8

Expert Comment

by:daffodils
ID: 12023279
You mean on every button click for a stand-alone web page??
wierd .. works for me!
0
 
LVL 20

Expert Comment

by:ihenry
ID: 12023284
Check the global.asax.vb or global.asax.vb, do you have the Session_Start event there?
0
 
LVL 8

Expert Comment

by:daffodils
ID: 12023316
yep.. I just created a brand new project and placed a webform on it.
Then the Label and Button.. and the code copied from above.. works!

Yet it doesn't for you.. this is crazy.. really really wierd and crazy!
0
 
LVL 20

Expert Comment

by:ihenry
ID: 12023515
Mine also a brand new project :o)) Another try, assign something to Session before abandon.
0
 
LVL 8

Expert Comment

by:daffodils
ID: 12023811
wow.. don't tell me!
Okay so.. I tried assigning something to the Session before abandon.. and guess what..

I can't retrieve it in the Button_Click or in the Page_Load outside of the "if(!IsPostBack)" block!
So that means Session is effectively empty.

0
 
LVL 20

Expert Comment

by:ihenry
ID: 12023946
mm..isn't that the correct behaviour? Session.Abandon cancels the current session and clears all the session variables but it shouldn't as well clear the SessionID..
0
 
LVL 8

Expert Comment

by:daffodils
ID: 12024065
oh yes it is the correct behavior.
Session.Abandon
- cancels the current session
- clears all the session variables
- And clears the SessionID

But why doesn't it happen at your end ??
0
 
LVL 20

Expert Comment

by:ihenry
ID: 12024129

"Normally SessionID lasts as long as the browser session and it might change if your application has never stored anything in the session state. In this case, a new session state (with a new ID) is created in every request, but is never saved because it contains nothing."

This information is widely known as ASP.NET behaviour. I guess it's not difficult for you to get where the information came from :o)
0
 
LVL 8

Expert Comment

by:daffodils
ID: 12029085
Q: Why does the SessionID remain the same after the Session times out or abandoned?
A:Even though the session state expires after the indicated timeout period, the session ID lasts as long as the browser session. What this implies is that the same session ID can represent multiple sessions over time where the instance of the browser remain the same.

Q: Why does the SessionID changes in every request?
A: This may happen if your application has never stored anything in the session state. In this case, a new session state (with a new ID) is created in every request, but is never saved because it contains nothing.

I found these in the article here...
http://www.eggheadcafe.com/articles/20021016.asp

>>>"Normally SessionID lasts as long as the browser session and it might change if your application has never stored anything in the session state. In this case, a new session state (with a new ID) is created in every request, but is never saved because it contains nothing."

This is not so in my case...
- Created a Session object and assigned a value to it.
- Retrieved the Session object 'test' and displayed it on a Label control
- Print old Session ID
- Session.Abandon()
- Click the Button
- Print new Session ID
- The Session object 'test' contains null.

So, the application has stored something and retrieved it successfully to/from the Session state before Abandon.
Then why is a new Session ID created?
And the SessionID doesnot change with every request.. only the very first postback (id2 is generated).. on every subsequent button clicks or postbacks or refreshes, the Session ID remains same (id2).
0
 
LVL 20

Expert Comment

by:ihenry
ID: 12033792

daffodils, I'm able to reproduce your case and I hope with my understanding I can explain this peculiar case in more details.

As you know, I know and we know this is how the life cycle process of Session in ASP.NET
[1]. User makes a request to the server
[2]. ASP.NET retrieves request session id from http cookie (ASP.NET_SessionId) that is attached in http request of the client browser. ASP.NET then looks for the same session id in the configured state provider storage (Session dictionary, SQL Server or NT state service). If one does not exist ASP.NET generates a new session id and raises the Session_OnStart event.
[3]. Other server-side process...
[4]. ASP.NET sends http response back to the client with the session id attached.


This is what happen after you press F5 to start your sample case
1. Step [1]
2. Step [2]
3. a. Assign some data to Session dictionary
    b. Abandon - (*)
4. Step [4]
(*) This however DESTROY the dictionary associated with the session BEFORE THE REQUEST IS COMPLETED therefore the dictionary IS STILL EMPTY.


And this is when you click on the button and the page postback for the first time
1. Step [1]
2. Step [2], (**)
3. Step [3]
4. ......etc
(**) NO DATA FOUND in the state provider storage and new session id is generated. And Session_OnStart event is defined therefore session state is saved - dictionary IS NOT EMPTY.

I guess you have already known now what happens after the subsequent request
1. Step [1]
2. Step [2] (***)
3. .......etc
(***) ASP.NET found the corresponding session id from the cookie in the state provider storage. As a result, the session id remains constant for all subsequent requests.


0
 
LVL 20

Expert Comment

by:ihenry
ID: 12033814
And this is the sample application to help me describe better what I have explained above.

--- page.cs
private void Page_Load(object sender, System.EventArgs e)
{
      Response.Write( "Page_Load<br>" );
      Session["test"] = "test";
      Response.Write( String.Format("{0}, {1}, {2}<br>", Session.Count, Session.IsNewSession, Session.SessionID) );
      Response.Write( String.Format("Session value: {0}<BR>", Session["test"]) );
      if ( !Page.IsPostBack )
            Session.Abandon();
      Response.Write( "End of Page_Load<br>" );
}


private void Button1_Click(object sender, System.EventArgs e)
{
      Response.Write( "Button1_Click<br>" );
      Response.Write( String.Format("{0}, {1}, {2}<br>", Session.Count, Session.IsNewSession, Session.SessionID) );
      Response.Write( String.Format("Session value: {0}<br>", Session["test"]) );
      Response.Write( "End of Button1_Click<br>" );
}

-------- global.asax.cs
protected void Session_Start(Object sender, EventArgs e)
{
      Response.Write( "Session_Start<br>" );
}
0
 
LVL 20

Expert Comment

by:ihenry
ID: 12055576
have forgotten this question, daffodils :o)
0
 
LVL 8

Expert Comment

by:daffodils
ID: 12057638
Hey ihenry,
good to hear from you again.. actually I had forgotten all about it .. <sheepish smile> :))
sorry about that.. got tied up with something and forgot all about testing your code.

I understood about the "request not completing" part.. think that was the *peculiar* part of my scenario :)).
In fact that answers the question - why a simple Response.Redirect to my same page was not working.. because once the request is complete, the Session ID will not change until the browser closes.

Thanks a lot for staying by me on this one.. it really cleared up a lot of things about request processing in .NET ..had to look up documentation on MSDN, didn't get around to reading them completely though ;)), maybe someday :)).

Thanks ihenry ... and sorry, I should have replied earlier.
until next question then :)) ~ Regards, Ritu
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

I have developed many web applications with asp & asp.net and to add and use a dropdownlist was always a very simple task, but with the new asp.net, setting the value is a bit tricky and its not similar to the old traditional method. So in this a…
Introduction This article shows how to use the open source plupload control to upload multiple images. The images are resized on the client side before uploading and the upload is done in chunks. Background I had to provide a way for user…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now