Link to home
Start Free TrialLog in
Avatar of Quintin79
Quintin79

asked on

Can I Reset SessionID

Hey i was just wondering if there was any way at all that i can reset the session ID of a session without having the browser close.  ive tried session.abandon and session.clear but nothing works.  see the way i manage the traffic on my site is with the sessionid and when a session times out id like to issue the user with another session ID

Can i do it?
Avatar of daffodils
daffodils

Actually Session.Abandon works.. it kills the current session..
But to update SessionID, you would need to do something that can be taken as a new Request.. that is when a new Session ID will be generated and assigned to the Session. Since you are not closing the browser, you would need to do something, like a button click postback, to start a new Session.

Try this simple example.. place a Label and a Button on a web form.. now in your code behind, copy my code.

private void Page_Load(object sender, System.EventArgs e)
{
   if(!IsPostBack)
   {
       Label1.Text = "Old Session: " + Session.SessionID.ToString();
       Session.Abandon();
    }
}

private void Button1_Click(object sender, System.EventArgs e)
{
    Label1.Text += "New Session: " + Session.SessionID.ToString();
}

On Page Load, you would see a Session ID and after you click on the button, you would see a new Session ID.
Avatar of Quintin79

ASKER

Hi thanks for the prompt reply but i dont really speak C altho i can follow it.

what i was doing with my abandon command was when the logout.aspx page loads i was calling session.abandon() to clear all member credentials and then creating some new session variables for the guest account.  this worked but didnt assign a new sessino id.  what steps would i need to add in here to get a new id?

thanks
Oh.. well I don't speak VB very well :))

Okay so, how do you logout..
Do you have a logout button on a page (other than logout.aspx) that allows a user to logout?
In that case.. call Session.Abandon() in the Click event of the Logout button, just before you call the "logout.aspx".
Now when the logout.aspx loads, a new Session ID will be created.
well theres no button that does it, its just a link to the logout page and that page does all the work.  would it work if i just response.redirected back to that page again ?
I tested that.. it doesn't work. The deal is to fool the application into thinking that this is a new page request.
Hmm.. give  a minute.. let me try.
wo.. I tried all sorts of combinations with Button, LinkButton and even <a href> (with runat=server), redirections back to the same page, new page etc etc etc.. but it doesn't seem to work.

The only workaround I see is that.. on logout.aspx load (this is not VB), abandon the session and then use a "Confirm Logout" button to generate a new Session ID.

...Page Load Function..
If Not PostBack
  Session.Abandon()
  Label1.Text = Session.SessionID
end if

...Confirm Logout button click Function..
Label2.Text = Session.SessionID

The reason this works is because there is a "genuine" new user request, all the window.opens, Response.Redirects, Server.Transfers execute FROM the code running on the server, it doesn't come as a browser request. And so they get the same Session ID, while a new request gets assigned a "shiny new" Session ID.
ASKER CERTIFIED SOLUTION
Avatar of ihenry
ihenry

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
iHenry are you definately right ? i thought this might have been the case but wasnt sure.

Daffodils thanks for the efforts though

:o)
Take out the Session_Start event from global.asax then you can see the SessionID keeps changing on every request. But I don't think this is what you want.
iHenry.. am not so sure about that though.. Check my first reply, that example works!
what I have not been able to figure out is.. why does that example work ??
and why doesn't it work, when the same page is called from another page??
hi daffodils

I tried your example, it doesn't work. It's showing the same SessionID on every request.
You mean on every button click for a stand-alone web page??
wierd .. works for me!
Check the global.asax.vb or global.asax.vb, do you have the Session_Start event there?
yep.. I just created a brand new project and placed a webform on it.
Then the Label and Button.. and the code copied from above.. works!

Yet it doesn't for you.. this is crazy.. really really wierd and crazy!
Mine also a brand new project :o)) Another try, assign something to Session before abandon.
wow.. don't tell me!
Okay so.. I tried assigning something to the Session before abandon.. and guess what..

I can't retrieve it in the Button_Click or in the Page_Load outside of the "if(!IsPostBack)" block!
So that means Session is effectively empty.

mm..isn't that the correct behaviour? Session.Abandon cancels the current session and clears all the session variables but it shouldn't as well clear the SessionID..
oh yes it is the correct behavior.
Session.Abandon
- cancels the current session
- clears all the session variables
- And clears the SessionID

But why doesn't it happen at your end ??

"Normally SessionID lasts as long as the browser session and it might change if your application has never stored anything in the session state. In this case, a new session state (with a new ID) is created in every request, but is never saved because it contains nothing."

This information is widely known as ASP.NET behaviour. I guess it's not difficult for you to get where the information came from :o)
Q: Why does the SessionID remain the same after the Session times out or abandoned?
A:Even though the session state expires after the indicated timeout period, the session ID lasts as long as the browser session. What this implies is that the same session ID can represent multiple sessions over time where the instance of the browser remain the same.

Q: Why does the SessionID changes in every request?
A: This may happen if your application has never stored anything in the session state. In this case, a new session state (with a new ID) is created in every request, but is never saved because it contains nothing.

I found these in the article here...
http://www.eggheadcafe.com/articles/20021016.asp

>>>"Normally SessionID lasts as long as the browser session and it might change if your application has never stored anything in the session state. In this case, a new session state (with a new ID) is created in every request, but is never saved because it contains nothing."

This is not so in my case...
- Created a Session object and assigned a value to it.
- Retrieved the Session object 'test' and displayed it on a Label control
- Print old Session ID
- Session.Abandon()
- Click the Button
- Print new Session ID
- The Session object 'test' contains null.

So, the application has stored something and retrieved it successfully to/from the Session state before Abandon.
Then why is a new Session ID created?
And the SessionID doesnot change with every request.. only the very first postback (id2 is generated).. on every subsequent button clicks or postbacks or refreshes, the Session ID remains same (id2).

daffodils, I'm able to reproduce your case and I hope with my understanding I can explain this peculiar case in more details.

As you know, I know and we know this is how the life cycle process of Session in ASP.NET
[1]. User makes a request to the server
[2]. ASP.NET retrieves request session id from http cookie (ASP.NET_SessionId) that is attached in http request of the client browser. ASP.NET then looks for the same session id in the configured state provider storage (Session dictionary, SQL Server or NT state service). If one does not exist ASP.NET generates a new session id and raises the Session_OnStart event.
[3]. Other server-side process...
[4]. ASP.NET sends http response back to the client with the session id attached.


This is what happen after you press F5 to start your sample case
1. Step [1]
2. Step [2]
3. a. Assign some data to Session dictionary
    b. Abandon - (*)
4. Step [4]
(*) This however DESTROY the dictionary associated with the session BEFORE THE REQUEST IS COMPLETED therefore the dictionary IS STILL EMPTY.


And this is when you click on the button and the page postback for the first time
1. Step [1]
2. Step [2], (**)
3. Step [3]
4. ......etc
(**) NO DATA FOUND in the state provider storage and new session id is generated. And Session_OnStart event is defined therefore session state is saved - dictionary IS NOT EMPTY.

I guess you have already known now what happens after the subsequent request
1. Step [1]
2. Step [2] (***)
3. .......etc
(***) ASP.NET found the corresponding session id from the cookie in the state provider storage. As a result, the session id remains constant for all subsequent requests.


And this is the sample application to help me describe better what I have explained above.

--- page.cs
private void Page_Load(object sender, System.EventArgs e)
{
      Response.Write( "Page_Load<br>" );
      Session["test"] = "test";
      Response.Write( String.Format("{0}, {1}, {2}<br>", Session.Count, Session.IsNewSession, Session.SessionID) );
      Response.Write( String.Format("Session value: {0}<BR>", Session["test"]) );
      if ( !Page.IsPostBack )
            Session.Abandon();
      Response.Write( "End of Page_Load<br>" );
}


private void Button1_Click(object sender, System.EventArgs e)
{
      Response.Write( "Button1_Click<br>" );
      Response.Write( String.Format("{0}, {1}, {2}<br>", Session.Count, Session.IsNewSession, Session.SessionID) );
      Response.Write( String.Format("Session value: {0}<br>", Session["test"]) );
      Response.Write( "End of Button1_Click<br>" );
}

-------- global.asax.cs
protected void Session_Start(Object sender, EventArgs e)
{
      Response.Write( "Session_Start<br>" );
}
have forgotten this question, daffodils :o)
Hey ihenry,
good to hear from you again.. actually I had forgotten all about it .. <sheepish smile> :))
sorry about that.. got tied up with something and forgot all about testing your code.

I understood about the "request not completing" part.. think that was the *peculiar* part of my scenario :)).
In fact that answers the question - why a simple Response.Redirect to my same page was not working.. because once the request is complete, the Session ID will not change until the browser closes.

Thanks a lot for staying by me on this one.. it really cleared up a lot of things about request processing in .NET ..had to look up documentation on MSDN, didn't get around to reading them completely though ;)), maybe someday :)).

Thanks ihenry ... and sorry, I should have replied earlier.
until next question then :)) ~ Regards, Ritu