Need the next SessionID after Session.abandon is called

Question

To avoid session fixation/hijacking we are heeding the common advice to create a new ASP.Net session for a user after authentication. Sounds simple enough. When a user authenticates we call Session.Abandon() the session ID cookie Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", "") then redirect the user.

However, how do we know on the new page that the user has logged in? We cannot check a session variable because there are none, we just started a brand new session.

I would swear, though I cannot find it now, that on this site someone explained how you can abandon a session and then get the next subsequent session ID. This way you could store that information. Then on the "Start Page" a new session would begin and that page could look up the old Session based on the new ID and validate that a user logged in.

So, are there any masters of the ASP.Net Session classes that know how to do this?

Answer 1

I haven't been working this for very long, but my current implementation is to abandon the session on the PageLoad of the login page.

That way, when the user fills in their login credentials and clicks the login button, you're already working off a fresh session id.

Answer 2

Could you, after the user authenticates:

1. generate an entry in a database table (e.g. "UserLogins") that consists of e.g. a GUID and a DateTime and the user ID.
2. then pass the GUID as an URL parameter to the redirected page
3. and on this page, read the URL parameter and compare it with the DB entry.

I do something similar when passing authentication "tokens" between otherwise independent applications, giving the user the experience of a single-sign-on.