ASP.NET Core: Session Id Always Changes

Question

Today started a brand new ASP.NET Core site. Followed the instructions to add sessions. We print out the Session ID on the index page, and it is always unique.

I figure it may be cookie compliance, so I nuked all cookies, both in Chrome's advanced settings and debugger. But the banner won't reappear for me to accept.

I also tried simply disabling CheckConsentNeeded, but that also had no impact.

Pretty much a duplicate from the default project plus MSDN, except for the tweaks described above:

    // This method gets called by the runtime. Use this method to add services to the container.
    public void ConfigureServices(IServiceCollection services)
    {
        services.AddDistributedMemoryCache();

        services.AddSession(options =>
        {
            // Set a short timeout for easy testing.
            options.IdleTimeout = TimeSpan.FromSeconds(10);
            options.Cookie.HttpOnly = true;
            //options.Cookie.SecurePolicy = CookieSecurePolicy.Always; //require https
            // Make the session cookie essential
            options.Cookie.IsEssential = true;
        });

        services.Configure<CookiePolicyOptions>(options =>
        {
            // This lambda determines whether user consent for non-essential cookies is needed for a given request.
            options.CheckConsentNeeded = context => false; //true;
            options.MinimumSameSitePolicy = SameSiteMode.None;
        });


        services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
    }

    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
    public void Configure(IApplicationBuilder app, IHostingEnvironment env)
    {
        if (env.IsDevelopment())
        {
            app.UseDeveloperExceptionPage();
        }
        else
        {
            app.UseExceptionHandler("/Home/Error");
            app.UseHsts();
        }

        app.UseHttpsRedirection();
        app.UseStaticFiles();
        app.UseCookiePolicy();
        app.UseSession();

        app.UseMvc(routes =>
        {
            routes.MapRoute(
                name: "default",
                template: "{controller=Home}/{action=Index}/{id?}");
        });
    }

Answer 1

About the question.

Your session id is according to the Cookie of client. You can check the value in Chrome Devtool.

The default key is .AspNetCore.Session.

If your .AspNetCore.Session or Cookie is null,Your server will automate create a new session id.

So,check your request headers first.

In the last img,You can see Host is not same with Origin,with the CORS problem,the requst will not include Cookie by default.

You can add withCredentials header in requst to solve the problem.

In axios you can do like this:

const instance = axios.create({
   withCredentials: true,
   baseURL: BASE_URL
})
instance.get('/todos')

Answer 2

Zoop’s answer inspired me, but as my comment suggests, it becomes messy should your application have a lot of actions. Based on their answer, I came up with this:

Create a base controller for your application if you don’t have one already. Derive all of your existing controllers from that controller. Override the base method that behaves like the old Page_Load from ASP.NET. OnActionExecuting gets invoked before any action code does.

public class MyApplicationController : Controller
{
    public override void OnActionExecuting(ActionExecutingContext filterContext)
    {
        base.OnActionExecuting(filterContext);
        HttpContext.Session.Set("What", new byte[] { 1, 2, 3, 4, 5 });
    }
}

EDIT: This is an imperfect solution as well. I have abandoned trying to use Session at all in my MVC project. This will work in cases where you don't do anything but GET and POST. (e.g., $ajax will mess this up.)

Answer 3

Wiktor Zychla was correct in the first comment: you must assign any data for the ID to stick.

I simply assigned any data to the session in my controller:

        public IActionResult Index()
        {
            HttpContext.Session.Set("What", new byte[] { 1, 2, 3, 4, 5 });
        }

After that, HttpContext.Session.Id did not change, as one would expect.

As my first foray into ASP.NET Core from ASP.NET Framework, I didn't expect that, and I am sure I won't be the last!