CODEWITHSUNDEEP
asp.net
Jarrod Everett
Jarrod Everett

Reputation: 801

Generating new SessionId in ASP.NET

On login I want to generate a new SessionId. I have found one solution that works, but it requires some pretty hackish things and requires the app have Full Trust securityPolicy setting.

Is there any other way to achieve this?

Upvotes: 8

Views: 29156

Answers (2)

Larry Silverman
Larry Silverman

Reputation: 1053

I'm currently considering a configuration-based solution, rather than a code-based one. I would configure either the web server or load balancer to strip away request and response headers containing cookies for just the login page. Remove the "cookie" headers for request headers and "set-cookie" for response headers.

Every request (GET or POST) to the login page will contain no cookie information, thus forcing ASP.NET to create a new session and (more importantly) a new session id.

It's less efficient than forcing a new session creation on login, but the technique could be useful in cases where you cannot modify the code.

Upvotes: 0

Joe Enos
Joe Enos

Reputation: 40383

Looks like this works:

Session.Abandon();
Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));

By clearing out that cookie, a new session with a new session ID will be created at the server.

(Reference: Microsoft Support)

EDIT: Here's an example using AJAX (with jQuery) to call the server code without a page refresh - it calls twice, once to remove the first session, and once to generate a new one. There may be a better way, but this does work.

function newSession() {
    jQuery.ajax({
        type: "POST",
        url: "WebForm1.aspx/ClearSession",
        data: "{}",
        dataType: "json",
        contentType: "application/json; charset=utf-8",
        success: function () {
            jQuery.ajax({
                type: "POST",
                url: "WebForm1.aspx/NewSession",
                data: "{}",
                dataType: "json",
                contentType: "application/json; charset=utf-8",
                success: function () { console.log("Success!"); },
                error: function (x, y, z) {
                    console.log("Failure!");
                }
            });
        },
        error: function (x, y, z) {
            console.log("Failure!");
        }
    });
}

And on the code-behind (for WebForms - you could also do this with an MVC controller):

[WebMethod]
public static void ClearSession()
{
    HttpContext.Current.Session.Abandon();
    HttpContext.Current.Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));
}

[WebMethod]
public static void NewSession()
{
    HttpContext.Current.Session["x"] = 123;
}

Upvotes: 9

Related Questions