Reputation: 6982
C# - WebForms - Can HttpContext.Current.SessionID be duplicated?
When ever user logs into my website, I am storing HttpContext.Current.SessionID in my user log table. I want to make sure can this be duplicate? If yes, I want to make the column unique in database. If it can be duplicated, any thing to get from session which will be unique and will never be regenerated in future like GUID?
Upvotes: 3
Views: 3024
Answers (3)
Reputation: 7672
HttpContext.Current.SessionID will be unique for the current set of sessions only - that is, every session ID will be unique when it is active. However, once the session expires, there is no guarantee that new sessions will not have the same ID. If this is the case, any persistent data (based on a session ID) will now be referring to a different session.
Please also note the following remarks from the MSDN page.
The SessionID value is randomly generated by ASP.NET and stored in a non-expiring session cookie in the browser. The SessionID value is then sent in a cookie with each request to the ASP.NET application.
However, if the cookie is cleared, the session is restarted.
The SessionID is sent between the server and the browser in clear text, either in a cookie or in the URL. As a result, an unwanted source could gain access to the session of another user by obtaining the SessionID value and including it in requests to the server. If you are storing private or sensitive information in session state, it is recommended that you use SSL to encrypt any communication between the browser and server that includes the SessionID.
Upvotes: 8
Reputation: 47357
The SessionID is NOT Unique.
It's unique at the time is it created, but not guaranteed to be unique over the course of time. For example, if IIS is restarted it may restart the numbering sequence.
Making a composite primary key or using a uniqueidentifier should suffice in this case.
http://weblogs.asp.net/bsimser/archive/2004/09/13/228713.aspx
Upvotes: 1
Reputation: 93424
Why not make the userid and sessionid a composite primary key? Or the sessionid and datetime. THat would make it impossible, or nearly impossible to be duplicated.
Upvotes: 1
Related Questions
- Generating a new ASP.NET session in the current HTTPContext
- Does static reference to HttpContext.Current.Session return same session for all users?
- Is HttpContext.Current.Session shared between worker processes?
- ASP.NET WebForms - Create and use a new session in current HttpContext
- Can HttpClient share same the HttpContext.Current.Session.SessionID as its host?
- Duplicate Session ID
- ASP.NET use of Session ID
- HttpContext.Current.Session with load balancing
- Reusing session identifier
- Reuse another ASP.NET session (set Session ID)