In ASP.Net, Can I find out if another session exists or is valid by a session Id?

Question

Is there a way to find out if a session Id is valid from within an existing request context? In that, if I'm given a session Id, and I'm currently in another session initiated by a Http Request and I'm on a page or in some class, can I validate that session Id, if it's valid and currently exists and hasn't been abandoned?

The reason for this is, we need to lock down the user login process on the page for the project I'm working on so that any user can only be logged in once. My thought on this was to add a session id column to the user table, if it's null, they're logged out, and it's set when they log in and cleared when they log out or on Session_End in global.asax. However, if for some reason a session is abandoned without clearing that, I need to be able to log them in again, and in that case whenever they log in and it finds a session Id in that column, I'm thinking it should somehow check to see if that Session Id is active and valid, if not, it'll reset it to their new session Id and allow them to log in.

Thanks

Answer 1

Another option you have/had :-) would be to use WeakReferences :

• a Dictionary<youruseridtype,WeakReference> is stored at application level as Application["mySessionDictionnary"]
• upon starting a Session, you store the userid and a WeakReference to the Session object itself in the Dictionnary
• when a user wants to log in, you check in the Dictionnary for his or her id. If there is a non empty WeakReference to a Session object, you are able to Abandon() this existing Session object, ensuring there is no more than one active session per user.

The WeakReference ensures that you will not suffer memory leaks.

NB : this would only work with inProc session management. As the Dictionnary would not survive an application restart, it should be the same for sessions.

Hope that you already found the right answer to your problem ;-)

Answer 2

The only way I can think is to do as Neperz says and store your sessions in a database using the SQLServer session provider, meaning you can then use an SQL query to see what is available.

But there are some caveats to consider:

1. I believe the session ID stored in the session database table is not exactly the same as session ID you can access from code. I can't exactly remember where I read this, but I think I experienced this problem when I was doing something similar to monitor all active sessions.
2. The global Session_End event will never fire if using the SQLServer session provider.
3. Unless you explicitly use Session.Abandon() in your code to finish a session (e.g. when a user logs out), your sessions can hang around until an SQL Agent job cleans up any expired sessions. This means that if someone just closed their browser window then their session would still appear as "active" which may complicate your implementation.

Answer 3

You need to store sessions in database in order to find before.
See more in HOW TO: Configure SQL Server to Store ASP.NET Session State

Answer 4

There is no direct way of validating SessionId. Options:

• You can implement your own session state provider (or maybe ID manager would be enough) to expose access to that information ( http://msdn.microsoft.com/en-us/library/aa479024.aspx).
• Simply try to cheat by setting session ID cookie based on ID that you think current user should have and re-render the page. One second request you'll be able to see if that ID corresponds to valid state and re-login if needed.

Note: I would not use session Id for that purpose as you'll be relying on implementation details. Maybe simply rejecting sessions that do not look like latest for this user would work. Having "my current session name" property saved in Session["someName"] and in user DB should be enough to reject rendering of older sessions.