By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
431,965 Members | 2,043 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 431,965 IT Pros & Developers. It's quick & easy.

sessionId is reused after calling session.abandon

P: n/a
Hi,

I have an asp.net application that is using Forms Authentication and
maintaining http session state using cookies in the normal way.

when the user clicks the logout button I do this:

Session.Clear();
Session.Abandon();
FormsAuthentication.SignOut();
Response.Redirect("Default.aspx")

This in turn causes Forms Authentication to redirect them to the login page.
AFAIK this is standard practice.

However, If the user immediately logs back in again from the same browser
window they get the same SessionId. how so?

I thought Session Ids were supposed to be unique? Has the session ID been
re-used again already or was is not cleared?

TIA for any thoughts.

Andy
Nov 19 '05 #1
Share this Question
Share on Google+
4 Replies


P: n/a
I believe the SessionID is set up on the first connection between the
IExplorer process and the remote server. The same ID is used because the
Session is technically the same session.

However the Session memory has been removed and the Session Start method
will be called in your global.cs.

bill

"Andy Fish" <aj****@blueyonder.co.uk> wrote in message
news:Or**************@TK2MSFTNGP12.phx.gbl...
Hi,

I have an asp.net application that is using Forms Authentication and
maintaining http session state using cookies in the normal way.

when the user clicks the logout button I do this:

Session.Clear();
Session.Abandon();
FormsAuthentication.SignOut();
Response.Redirect("Default.aspx")

This in turn causes Forms Authentication to redirect them to the login page. AFAIK this is standard practice.

However, If the user immediately logs back in again from the same browser
window they get the same SessionId. how so?

I thought Session Ids were supposed to be unique? Has the session ID been
re-used again already or was is not cleared?

TIA for any thoughts.

Andy

Nov 19 '05 #2

P: n/a
hmm,

I'm using Session_End (in global.asax) to clear up stuff relating to the
session, and some of it uses the session id to identify the session.

In this case, is it possible that my Session_End function could be called
when there is another session in use with the same id? - that would really
screw up my tidy up processing.

Andy
"William F. Robertson, Jr." <th****@nameht.org> wrote in message
news:%2****************@tk2msftngp13.phx.gbl...
I believe the SessionID is set up on the first connection between the
IExplorer process and the remote server. The same ID is used because the
Session is technically the same session.

However the Session memory has been removed and the Session Start method
will be called in your global.cs.

bill

"Andy Fish" <aj****@blueyonder.co.uk> wrote in message
news:Or**************@TK2MSFTNGP12.phx.gbl...
Hi,

I have an asp.net application that is using Forms Authentication and
maintaining http session state using cookies in the normal way.

when the user clicks the logout button I do this:

Session.Clear();
Session.Abandon();
FormsAuthentication.SignOut();
Response.Redirect("Default.aspx")

This in turn causes Forms Authentication to redirect them to the login

page.
AFAIK this is standard practice.

However, If the user immediately logs back in again from the same browser
window they get the same SessionId. how so?

I thought Session Ids were supposed to be unique? Has the session ID been
re-used again already or was is not cleared?

TIA for any thoughts.

Andy


Nov 19 '05 #3

P: n/a
This is speculation, but I feel pretty confident about it.

I make a request.
SessionID: 77

The application begins processing my request, sees there is no Session data
for SessionID: 77. Calls Session_Start.

I go through the site and logout.
SessionID 77 is removed from Session data.
Session_End removes SessionID 77 from the collection.

I make another request.
SessionID: 77

The application begins processing my request. Since I removed SessionID:
77, the application calls Session_Start.

Regarding your question: I am not sure exactly how you are doing this, but
if you are concerned about it, you probably should generate your own
Session_Instance_ID, and pass this item through each request.

bill
"Andy Fish" <aj****@blueyonder.co.uk> wrote in message
news:ef**************@TK2MSFTNGP10.phx.gbl...
hmm,

I'm using Session_End (in global.asax) to clear up stuff relating to the
session, and some of it uses the session id to identify the session.

In this case, is it possible that my Session_End function could be called
when there is another session in use with the same id? - that would really
screw up my tidy up processing.

Andy
"William F. Robertson, Jr." <th****@nameht.org> wrote in message
news:%2****************@tk2msftngp13.phx.gbl...
I believe the SessionID is set up on the first connection between the
IExplorer process and the remote server. The same ID is used because the Session is technically the same session.

However the Session memory has been removed and the Session Start method
will be called in your global.cs.

bill

"Andy Fish" <aj****@blueyonder.co.uk> wrote in message
news:Or**************@TK2MSFTNGP12.phx.gbl...
Hi,

I have an asp.net application that is using Forms Authentication and
maintaining http session state using cookies in the normal way.

when the user clicks the logout button I do this:

Session.Clear();
Session.Abandon();
FormsAuthentication.SignOut();
Response.Redirect("Default.aspx")

This in turn causes Forms Authentication to redirect them to the login

page.
AFAIK this is standard practice.

However, If the user immediately logs back in again from the same browser window they get the same SessionId. how so?

I thought Session Ids were supposed to be unique? Has the session ID been re-used again already or was is not cleared?

TIA for any thoughts.

Andy



Nov 19 '05 #4

P: n/a
Thanks bill,

After a bit of investigation, It seems to me that Session_End is called
immediately after I call Session.Abandon, so I guess I am safe

Andy

"William F. Robertson, Jr." <th****@nameht.org> wrote in message
news:%2****************@TK2MSFTNGP15.phx.gbl...
This is speculation, but I feel pretty confident about it.

I make a request.
SessionID: 77

The application begins processing my request, sees there is no Session
data
for SessionID: 77. Calls Session_Start.

I go through the site and logout.
SessionID 77 is removed from Session data.
Session_End removes SessionID 77 from the collection.

I make another request.
SessionID: 77

The application begins processing my request. Since I removed SessionID:
77, the application calls Session_Start.

Regarding your question: I am not sure exactly how you are doing this, but
if you are concerned about it, you probably should generate your own
Session_Instance_ID, and pass this item through each request.

bill
"Andy Fish" <aj****@blueyonder.co.uk> wrote in message
news:ef**************@TK2MSFTNGP10.phx.gbl...
hmm,

I'm using Session_End (in global.asax) to clear up stuff relating to the
session, and some of it uses the session id to identify the session.

In this case, is it possible that my Session_End function could be called
when there is another session in use with the same id? - that would
really
screw up my tidy up processing.

Andy
"William F. Robertson, Jr." <th****@nameht.org> wrote in message
news:%2****************@tk2msftngp13.phx.gbl...
>I believe the SessionID is set up on the first connection between the
> IExplorer process and the remote server. The same ID is used because the > Session is technically the same session.
>
> However the Session memory has been removed and the Session Start
> method
> will be called in your global.cs.
>
> bill
>
> "Andy Fish" <aj****@blueyonder.co.uk> wrote in message
> news:Or**************@TK2MSFTNGP12.phx.gbl...
>> Hi,
>>
>> I have an asp.net application that is using Forms Authentication and
>> maintaining http session state using cookies in the normal way.
>>
>> when the user clicks the logout button I do this:
>>
>> Session.Clear();
>> Session.Abandon();
>> FormsAuthentication.SignOut();
>> Response.Redirect("Default.aspx")
>>
>> This in turn causes Forms Authentication to redirect them to the login
> page.
>> AFAIK this is standard practice.
>>
>> However, If the user immediately logs back in again from the same browser >> window they get the same SessionId. how so?
>>
>> I thought Session Ids were supposed to be unique? Has the session ID been >> re-used again already or was is not cleared?
>>
>> TIA for any thoughts.
>>
>> Andy
>>
>>
>
>



Nov 19 '05 #5

This discussion thread is closed

Replies have been disabled for this discussion.