In ASP.NET 2.0, this is programmable via the sessionState setting:
regenerateExpiredSessionId, settable to "true" or "false"
<sessionState mode="InProc" cookieless="UseCookies" regenerateExpiredSessionId="false"
timeout="20">
Juan T. Llibre
ASP.NET MVP
http://asp.net.do/foros/
Foros de ASP.NET en Español
Ven, y hablemos de ASP.NET...
======================
"John Timney (ASP.NET MVP)" <ti*****@despammed.com> wrote in message
news:O6**************@TK2MSFTNGP10.phx.gbl...
if the session has actually ended there is anothing to stop them being given the same
session ID as the session ID's are recycled. Check your session is ending correctly by
loading a session value in one session and checking it in another via a different page
request.
--
Regards
John Timney
ASP.NET MVP
Microsoft Regional Director
"Steffen Loringer" <st**************@freenet.de> wrote in message
news:3i************@news.dfncis.de... Hi
I'm using Session.Abandon() to end a user session when clicking the Logout button of
the application. But if the user request the page directly via URL in IE the server
starts processing the page again.
The sessionIDs are the same in both cases.
I expected the sessionID not to be valid anymore.Should one end the user session in
another way? If a user is logged out he should be redirected to the login page if he
requests pages directly.
Thanks for help
Steffen