sessionId is reused after calling session.abandon

Discussion in 'ASP .Net' started by Andy Fish, Jan 17, 2005.

  1. Andy Fish

    Andy Fish Guest

    Hi,

    I have an asp.net application that is using Forms Authentication and
    maintaining http session state using cookies in the normal way.

    when the user clicks the logout button I do this:

    Session.Clear();
    Session.Abandon();
    FormsAuthentication.SignOut();
    Response.Redirect("Default.aspx")

    This in turn causes Forms Authentication to redirect them to the login page.
    AFAIK this is standard practice.

    However, If the user immediately logs back in again from the same browser
    window they get the same SessionId. how so?

    I thought Session Ids were supposed to be unique? Has the session ID been
    re-used again already or was is not cleared?

    TIA for any thoughts.

    Andy
    Andy Fish, Jan 17, 2005
    #1
    1. Advertising

  2. I believe the SessionID is set up on the first connection between the
    IExplorer process and the remote server. The same ID is used because the
    Session is technically the same session.

    However the Session memory has been removed and the Session Start method
    will be called in your global.cs.

    bill

    "Andy Fish" <> wrote in message
    news:Or9$fkL$...
    > Hi,
    >
    > I have an asp.net application that is using Forms Authentication and
    > maintaining http session state using cookies in the normal way.
    >
    > when the user clicks the logout button I do this:
    >
    > Session.Clear();
    > Session.Abandon();
    > FormsAuthentication.SignOut();
    > Response.Redirect("Default.aspx")
    >
    > This in turn causes Forms Authentication to redirect them to the login

    page.
    > AFAIK this is standard practice.
    >
    > However, If the user immediately logs back in again from the same browser
    > window they get the same SessionId. how so?
    >
    > I thought Session Ids were supposed to be unique? Has the session ID been
    > re-used again already or was is not cleared?
    >
    > TIA for any thoughts.
    >
    > Andy
    >
    >
    William F. Robertson, Jr., Jan 17, 2005
    #2
    1. Advertising

  3. Andy Fish

    Andy Fish Guest

    hmm,

    I'm using Session_End (in global.asax) to clear up stuff relating to the
    session, and some of it uses the session id to identify the session.

    In this case, is it possible that my Session_End function could be called
    when there is another session in use with the same id? - that would really
    screw up my tidy up processing.

    Andy


    "William F. Robertson, Jr." <> wrote in message
    news:%23r4lTrL$...
    >I believe the SessionID is set up on the first connection between the
    > IExplorer process and the remote server. The same ID is used because the
    > Session is technically the same session.
    >
    > However the Session memory has been removed and the Session Start method
    > will be called in your global.cs.
    >
    > bill
    >
    > "Andy Fish" <> wrote in message
    > news:Or9$fkL$...
    >> Hi,
    >>
    >> I have an asp.net application that is using Forms Authentication and
    >> maintaining http session state using cookies in the normal way.
    >>
    >> when the user clicks the logout button I do this:
    >>
    >> Session.Clear();
    >> Session.Abandon();
    >> FormsAuthentication.SignOut();
    >> Response.Redirect("Default.aspx")
    >>
    >> This in turn causes Forms Authentication to redirect them to the login

    > page.
    >> AFAIK this is standard practice.
    >>
    >> However, If the user immediately logs back in again from the same browser
    >> window they get the same SessionId. how so?
    >>
    >> I thought Session Ids were supposed to be unique? Has the session ID been
    >> re-used again already or was is not cleared?
    >>
    >> TIA for any thoughts.
    >>
    >> Andy
    >>
    >>

    >
    >
    Andy Fish, Jan 17, 2005
    #3
  4. This is speculation, but I feel pretty confident about it.

    I make a request.
    SessionID: 77

    The application begins processing my request, sees there is no Session data
    for SessionID: 77. Calls Session_Start.

    I go through the site and logout.
    SessionID 77 is removed from Session data.
    Session_End removes SessionID 77 from the collection.

    I make another request.
    SessionID: 77

    The application begins processing my request. Since I removed SessionID:
    77, the application calls Session_Start.

    Regarding your question: I am not sure exactly how you are doing this, but
    if you are concerned about it, you probably should generate your own
    Session_Instance_ID, and pass this item through each request.

    bill


    "Andy Fish" <> wrote in message
    news:efm2G3L$...
    > hmm,
    >
    > I'm using Session_End (in global.asax) to clear up stuff relating to the
    > session, and some of it uses the session id to identify the session.
    >
    > In this case, is it possible that my Session_End function could be called
    > when there is another session in use with the same id? - that would really
    > screw up my tidy up processing.
    >
    > Andy
    >
    >
    > "William F. Robertson, Jr." <> wrote in message
    > news:%23r4lTrL$...
    > >I believe the SessionID is set up on the first connection between the
    > > IExplorer process and the remote server. The same ID is used because

    the
    > > Session is technically the same session.
    > >
    > > However the Session memory has been removed and the Session Start method
    > > will be called in your global.cs.
    > >
    > > bill
    > >
    > > "Andy Fish" <> wrote in message
    > > news:Or9$fkL$...
    > >> Hi,
    > >>
    > >> I have an asp.net application that is using Forms Authentication and
    > >> maintaining http session state using cookies in the normal way.
    > >>
    > >> when the user clicks the logout button I do this:
    > >>
    > >> Session.Clear();
    > >> Session.Abandon();
    > >> FormsAuthentication.SignOut();
    > >> Response.Redirect("Default.aspx")
    > >>
    > >> This in turn causes Forms Authentication to redirect them to the login

    > > page.
    > >> AFAIK this is standard practice.
    > >>
    > >> However, If the user immediately logs back in again from the same

    browser
    > >> window they get the same SessionId. how so?
    > >>
    > >> I thought Session Ids were supposed to be unique? Has the session ID

    been
    > >> re-used again already or was is not cleared?
    > >>
    > >> TIA for any thoughts.
    > >>
    > >> Andy
    > >>
    > >>

    > >
    > >

    >
    >
    William F. Robertson, Jr., Jan 17, 2005
    #4
  5. Andy Fish

    Andy Fish Guest

    Thanks bill,

    After a bit of investigation, It seems to me that Session_End is called
    immediately after I call Session.Abandon, so I guess I am safe

    Andy

    "William F. Robertson, Jr." <> wrote in message
    news:%23pYlM1N$...
    > This is speculation, but I feel pretty confident about it.
    >
    > I make a request.
    > SessionID: 77
    >
    > The application begins processing my request, sees there is no Session
    > data
    > for SessionID: 77. Calls Session_Start.
    >
    > I go through the site and logout.
    > SessionID 77 is removed from Session data.
    > Session_End removes SessionID 77 from the collection.
    >
    > I make another request.
    > SessionID: 77
    >
    > The application begins processing my request. Since I removed SessionID:
    > 77, the application calls Session_Start.
    >
    > Regarding your question: I am not sure exactly how you are doing this, but
    > if you are concerned about it, you probably should generate your own
    > Session_Instance_ID, and pass this item through each request.
    >
    > bill
    >
    >
    > "Andy Fish" <> wrote in message
    > news:efm2G3L$...
    >> hmm,
    >>
    >> I'm using Session_End (in global.asax) to clear up stuff relating to the
    >> session, and some of it uses the session id to identify the session.
    >>
    >> In this case, is it possible that my Session_End function could be called
    >> when there is another session in use with the same id? - that would
    >> really
    >> screw up my tidy up processing.
    >>
    >> Andy
    >>
    >>
    >> "William F. Robertson, Jr." <> wrote in message
    >> news:%23r4lTrL$...
    >> >I believe the SessionID is set up on the first connection between the
    >> > IExplorer process and the remote server. The same ID is used because

    > the
    >> > Session is technically the same session.
    >> >
    >> > However the Session memory has been removed and the Session Start
    >> > method
    >> > will be called in your global.cs.
    >> >
    >> > bill
    >> >
    >> > "Andy Fish" <> wrote in message
    >> > news:Or9$fkL$...
    >> >> Hi,
    >> >>
    >> >> I have an asp.net application that is using Forms Authentication and
    >> >> maintaining http session state using cookies in the normal way.
    >> >>
    >> >> when the user clicks the logout button I do this:
    >> >>
    >> >> Session.Clear();
    >> >> Session.Abandon();
    >> >> FormsAuthentication.SignOut();
    >> >> Response.Redirect("Default.aspx")
    >> >>
    >> >> This in turn causes Forms Authentication to redirect them to the login
    >> > page.
    >> >> AFAIK this is standard practice.
    >> >>
    >> >> However, If the user immediately logs back in again from the same

    > browser
    >> >> window they get the same SessionId. how so?
    >> >>
    >> >> I thought Session Ids were supposed to be unique? Has the session ID

    > been
    >> >> re-used again already or was is not cleared?
    >> >>
    >> >> TIA for any thoughts.
    >> >>
    >> >> Andy
    >> >>
    >> >>
    >> >
    >> >

    >>
    >>

    >
    >
    Andy Fish, Jan 17, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Steve M
    Replies:
    1
    Views:
    318
  2. Ronald
    Replies:
    6
    Views:
    6,901
    Andy Mortimer [MS]
    Feb 23, 2004
  3. Replies:
    4
    Views:
    12,308
    swati254
    Jan 19, 2009
  4. James
    Replies:
    3
    Views:
    4,406
    James
    Dec 20, 2005
  5. Max2006
    Replies:
    4
    Views:
    1,724
    Vince Xu [MSFT]
    Dec 1, 2009
Loading...

Share This Page