SessionID is still the same after Session.Abandon call SessionID is still the same after Session.Abandon call asp.net asp.net

SessionID is still the same after Session.Abandon call


asp.net sessionid

Check this article which explains the process on session.abandon

http://support.microsoft.com/kb/899918

Taken from above link -

"When you abandon a session, the session ID cookie is not removed from the browser of the user. Therefore, as soon as the session has been abandoned, any new requests to the same application will use the same session ID but will have a new session state instance"

asp.net sessionid

This is a default behavior by design as stated here:

Session identifiers for abandoned or expired sessions are recycled by default. That is, if a request is made that includes the session identifier for an expired or abandoned session, a new session is started using the same session identifier. You can disable this by setting regenerateExpiredSessionId attribute of the sessionState configuration element to true

You can disable this setting as mentioned above.

EDIT: Setting regenerateExpiredSessionId attribute to true works only for cookieless sessions. To overcome your problem, you can consider to implement a custom class that inherits SessionIDManager class. You can get information about that here and here.

asp.net sessionid

This is an old post but if someone is still looking for answers, here is a complete and step-by-step solution on how to achieve a clean logout with a new session ID every time.

Please note this article applies to cookie-enabled (cookieless=false) sites only.

Step (1) Modify your web.config file & add "regenerateExpiredSessionID" flag as under - 

<sessionState mode="InProc" cookieless="false" regenerateExpiredSessionId="true" />

Step (2) Add the following code in your logout event - 

Session.Clear(); Session.Abandon();Response.Cookies.Add(New HttpCookie("ASP.NET_SessionId", ""));Response.redirect(to you login page);

Step (3) Add the following code in your login page's page_load event - 

if(!IsPostBack) {    Session.Clear();     Session.Abandon();}

Step 2 and 3 serve one IMPORTANT purpose. This code makes sure a brand new Session ID is generated after you click the "Login" button. This prevents Weak Session Management (Session Fixation vulnerability) which will likely be spotted during a 3rd party Penetration Testing of your site.

Hope this helps.

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last