Hi Xenophon,
As Daniel has mentioned, we can use the HttpSessionState.IsNewSession to
determine whether the session is newly created by the current request.
However, if your actual concern is the problem with using cookieless
session, I'm afraid we haven't any buildin means to detect whether the
comming request client is the reallly the correct user associated with the
SessionState (identify by the sessionid embeded in url). That means if A is
visisting the asp.net web app through the sessionidA and B paste the
sessionidA directly into it's URL, B will also make use of A's
sessionstate. In fact, this is because the serverside hasn't enough
information to distinguish users in cookieless scenario. And if you'd like
to manually detect such condition, you can try mantaining a server loopup
list which record all the sessionid associated with its client user's IP
address. Anyway, even using cookieless Session, it's stil very rare that
sessionID is reused since everyuser will have own randomly generated
sessionid.
Thanks,
Steven Cheng
Microsoft Online Support
Get Secure!
www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)