Solved

Can I Reset SessionID

Posted on 2004-09-09
25
2,685 Views
Last Modified: 2008-01-09
Hey i was just wondering if there was any way at all that i can reset the session ID of a session without having the browser close.  ive tried session.abandon and session.clear but nothing works.  see the way i manage the traffic on my site is with the sessionid and when a session times out id like to issue the user with another session ID

Can i do it?
0
Comment
Question by:Quintin79
  • 12
  • 10
  • 3
25 Comments
 
LVL 8

Expert Comment

by:daffodils
ID: 12022709
Actually Session.Abandon works.. it kills the current session..
But to update SessionID, you would need to do something that can be taken as a new Request.. that is when a new Session ID will be generated and assigned to the Session. Since you are not closing the browser, you would need to do something, like a button click postback, to start a new Session.

Try this simple example.. place a Label and a Button on a web form.. now in your code behind, copy my code.

private void Page_Load(object sender, System.EventArgs e)
{
   if(!IsPostBack)
   {
       Label1.Text = "Old Session: " + Session.SessionID.ToString();
       Session.Abandon();
    }
}

private void Button1_Click(object sender, System.EventArgs e)
{
    Label1.Text += "New Session: " + Session.SessionID.ToString();
}

On Page Load, you would see a Session ID and after you click on the button, you would see a new Session ID.
0
 
LVL 1

Author Comment

by:Quintin79
ID: 12022729
Hi thanks for the prompt reply but i dont really speak C altho i can follow it.

what i was doing with my abandon command was when the logout.aspx page loads i was calling session.abandon() to clear all member credentials and then creating some new session variables for the guest account.  this worked but didnt assign a new sessino id.  what steps would i need to add in here to get a new id?

thanks
0
 
LVL 8

Expert Comment

by:daffodils
ID: 12022812
Oh.. well I don't speak VB very well :))

Okay so, how do you logout..
Do you have a logout button on a page (other than logout.aspx) that allows a user to logout?
In that case.. call Session.Abandon() in the Click event of the Logout button, just before you call the "logout.aspx".
Now when the logout.aspx loads, a new Session ID will be created.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:Quintin79
ID: 12022841
well theres no button that does it, its just a link to the logout page and that page does all the work.  would it work if i just response.redirected back to that page again ?
0
 
LVL 8

Expert Comment

by:daffodils
ID: 12022892
I tested that.. it doesn't work. The deal is to fool the application into thinking that this is a new page request.
Hmm.. give  a minute.. let me try.
0
 
LVL 8

Expert Comment

by:daffodils
ID: 12023039
wo.. I tried all sorts of combinations with Button, LinkButton and even <a href> (with runat=server), redirections back to the same page, new page etc etc etc.. but it doesn't seem to work.

The only workaround I see is that.. on logout.aspx load (this is not VB), abandon the session and then use a "Confirm Logout" button to generate a new Session ID.

...Page Load Function..
If Not PostBack
  Session.Abandon()
  Label1.Text = Session.SessionID
end if

...Confirm Logout button click Function..
Label2.Text = Session.SessionID

The reason this works is because there is a "genuine" new user request, all the window.opens, Response.Redirects, Server.Transfers execute FROM the code running on the server, it doesn't come as a browser request. And so they get the same Session ID, while a new request gets assigned a "shiny new" Session ID.
0
 
LVL 20

Accepted Solution

by:
ihenry earned 50 total points
ID: 12023076

I don't believe you can change SessionID in one browser session. The correct behaviour is the SessionID remains the same as long as the browser session, even if after the session times out or abandoned.
0
 
LVL 8

Assisted Solution

by:daffodils
daffodils earned 75 total points
ID: 12023082
chuck that.. it doesn't work!!!
0
 
LVL 1

Author Comment

by:Quintin79
ID: 12023088
iHenry are you definately right ? i thought this might have been the case but wasnt sure.

Daffodils thanks for the efforts though
0
 
LVL 20

Expert Comment

by:ihenry
ID: 12023089

:o)
Take out the Session_Start event from global.asax then you can see the SessionID keeps changing on every request. But I don't think this is what you want.
0
 
LVL 8

Expert Comment

by:daffodils
ID: 12023159
iHenry.. am not so sure about that though.. Check my first reply, that example works!
what I have not been able to figure out is.. why does that example work ??
and why doesn't it work, when the same page is called from another page??
0
 
LVL 20

Expert Comment

by:ihenry
ID: 12023253
hi daffodils

I tried your example, it doesn't work. It's showing the same SessionID on every request.
0
 
LVL 8

Expert Comment

by:daffodils
ID: 12023279
You mean on every button click for a stand-alone web page??
wierd .. works for me!
0
 
LVL 20

Expert Comment

by:ihenry
ID: 12023284
Check the global.asax.vb or global.asax.vb, do you have the Session_Start event there?
0
 
LVL 8

Expert Comment

by:daffodils
ID: 12023316
yep.. I just created a brand new project and placed a webform on it.
Then the Label and Button.. and the code copied from above.. works!

Yet it doesn't for you.. this is crazy.. really really wierd and crazy!
0
 
LVL 20

Expert Comment

by:ihenry
ID: 12023515
Mine also a brand new project :o)) Another try, assign something to Session before abandon.
0
 
LVL 8

Expert Comment

by:daffodils
ID: 12023811
wow.. don't tell me!
Okay so.. I tried assigning something to the Session before abandon.. and guess what..

I can't retrieve it in the Button_Click or in the Page_Load outside of the "if(!IsPostBack)" block!
So that means Session is effectively empty.

0
 
LVL 20

Expert Comment

by:ihenry
ID: 12023946
mm..isn't that the correct behaviour? Session.Abandon cancels the current session and clears all the session variables but it shouldn't as well clear the SessionID..
0
 
LVL 8

Expert Comment

by:daffodils
ID: 12024065
oh yes it is the correct behavior.
Session.Abandon
- cancels the current session
- clears all the session variables
- And clears the SessionID

But why doesn't it happen at your end ??
0
 
LVL 20

Expert Comment

by:ihenry
ID: 12024129

"Normally SessionID lasts as long as the browser session and it might change if your application has never stored anything in the session state. In this case, a new session state (with a new ID) is created in every request, but is never saved because it contains nothing."

This information is widely known as ASP.NET behaviour. I guess it's not difficult for you to get where the information came from :o)
0
 
LVL 8

Expert Comment

by:daffodils
ID: 12029085
Q: Why does the SessionID remain the same after the Session times out or abandoned?
A:Even though the session state expires after the indicated timeout period, the session ID lasts as long as the browser session. What this implies is that the same session ID can represent multiple sessions over time where the instance of the browser remain the same.

Q: Why does the SessionID changes in every request?
A: This may happen if your application has never stored anything in the session state. In this case, a new session state (with a new ID) is created in every request, but is never saved because it contains nothing.

I found these in the article here...
http://www.eggheadcafe.com/articles/20021016.asp

>>>"Normally SessionID lasts as long as the browser session and it might change if your application has never stored anything in the session state. In this case, a new session state (with a new ID) is created in every request, but is never saved because it contains nothing."

This is not so in my case...
- Created a Session object and assigned a value to it.
- Retrieved the Session object 'test' and displayed it on a Label control
- Print old Session ID
- Session.Abandon()
- Click the Button
- Print new Session ID
- The Session object 'test' contains null.

So, the application has stored something and retrieved it successfully to/from the Session state before Abandon.
Then why is a new Session ID created?
And the SessionID doesnot change with every request.. only the very first postback (id2 is generated).. on every subsequent button clicks or postbacks or refreshes, the Session ID remains same (id2).
0
 
LVL 20

Expert Comment

by:ihenry
ID: 12033792

daffodils, I'm able to reproduce your case and I hope with my understanding I can explain this peculiar case in more details.

As you know, I know and we know this is how the life cycle process of Session in ASP.NET
[1]. User makes a request to the server
[2]. ASP.NET retrieves request session id from http cookie (ASP.NET_SessionId) that is attached in http request of the client browser. ASP.NET then looks for the same session id in the configured state provider storage (Session dictionary, SQL Server or NT state service). If one does not exist ASP.NET generates a new session id and raises the Session_OnStart event.
[3]. Other server-side process...
[4]. ASP.NET sends http response back to the client with the session id attached.


This is what happen after you press F5 to start your sample case
1. Step [1]
2. Step [2]
3. a. Assign some data to Session dictionary
    b. Abandon - (*)
4. Step [4]
(*) This however DESTROY the dictionary associated with the session BEFORE THE REQUEST IS COMPLETED therefore the dictionary IS STILL EMPTY.


And this is when you click on the button and the page postback for the first time
1. Step [1]
2. Step [2], (**)
3. Step [3]
4. ......etc
(**) NO DATA FOUND in the state provider storage and new session id is generated. And Session_OnStart event is defined therefore session state is saved - dictionary IS NOT EMPTY.

I guess you have already known now what happens after the subsequent request
1. Step [1]
2. Step [2] (***)
3. .......etc
(***) ASP.NET found the corresponding session id from the cookie in the state provider storage. As a result, the session id remains constant for all subsequent requests.


0
 
LVL 20

Expert Comment

by:ihenry
ID: 12033814
And this is the sample application to help me describe better what I have explained above.

--- page.cs
private void Page_Load(object sender, System.EventArgs e)
{
      Response.Write( "Page_Load<br>" );
      Session["test"] = "test";
      Response.Write( String.Format("{0}, {1}, {2}<br>", Session.Count, Session.IsNewSession, Session.SessionID) );
      Response.Write( String.Format("Session value: {0}<BR>", Session["test"]) );
      if ( !Page.IsPostBack )
            Session.Abandon();
      Response.Write( "End of Page_Load<br>" );
}


private void Button1_Click(object sender, System.EventArgs e)
{
      Response.Write( "Button1_Click<br>" );
      Response.Write( String.Format("{0}, {1}, {2}<br>", Session.Count, Session.IsNewSession, Session.SessionID) );
      Response.Write( String.Format("Session value: {0}<br>", Session["test"]) );
      Response.Write( "End of Button1_Click<br>" );
}

-------- global.asax.cs
protected void Session_Start(Object sender, EventArgs e)
{
      Response.Write( "Session_Start<br>" );
}
0
 
LVL 20

Expert Comment

by:ihenry
ID: 12055576
have forgotten this question, daffodils :o)
0
 
LVL 8

Expert Comment

by:daffodils
ID: 12057638
Hey ihenry,
good to hear from you again.. actually I had forgotten all about it .. <sheepish smile> :))
sorry about that.. got tied up with something and forgot all about testing your code.

I understood about the "request not completing" part.. think that was the *peculiar* part of my scenario :)).
In fact that answers the question - why a simple Response.Redirect to my same page was not working.. because once the request is complete, the Session ID will not change until the browser closes.

Thanks a lot for staying by me on this one.. it really cleared up a lot of things about request processing in .NET ..had to look up documentation on MSDN, didn't get around to reading them completely though ;)), maybe someday :)).

Thanks ihenry ... and sorry, I should have replied earlier.
until next question then :)) ~ Regards, Ritu
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this Article, I will provide a few tips in problem and solution manner. Opening an ASPX page in Visual studio 2003 is very slow. To make it fast, please do follow below steps:   Open the Solution/Project. Right click the ASPX file to b…
Today is the age of broadband.  More and more people are going this route determined to experience the web and it’s multitude of services as quickly and painlessly as possible. Coupled with the move to broadband, people are experiencing the web via …
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question