Session.Abandon() does not abandon the session straight away

Question

In my ASP.NET web app I call Session.Abandon() in Page_Load(). I would expect this would abandon the session straight away and the next time I reference the HttpContext.Current.Session a new session should be created. However, putting breakpoints on the Session_End and Session_Start handlers in Global.asax indicates that these aren't called until the page has finished rendering.

So two questions:

1) Why?

2) How can I continue to use HttpContext.Current.Session within a page lifecycle once Session.Abandon() has been called.

Thanks in advance!

Answer 1

This was my solution:

private void PurgeSession()
{
    try
    {
        Session.Clear();
    }
    catch (Exception) {  }

    try
    {
        Session.Abandon();
    }
    catch (Exception) {  }

    try
    {
        Session.RemoveAll();
    }
    catch (Exception) {  }

    try
    {
        Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId") 
                                {Expires = DateTime.Now.AddYears(-1)});
    }
    catch (Exception) {  }
}

This is effectively the orbital bombardment option.

Some information sourced from: http://www.dotnetfunda.com/articles/article1395-how-to-avoid-the-session-fixation-vulnerability-in-aspnet-.aspx

Answer 2

Session.Abandon() actually waits until the page has been rendered.

Answer 3

http://msdn.microsoft.com/en-us/library/ms524310(v=vs.90).aspx

Look at the remarks section on the linked page. Looks like the session objects are only queued for deletion, and not deleted until the code finishes running.