All geek questions in one place

Creating a new SessionId in ASP.NET

On login, I want to create a new SessionId. I found one solution that works , but it requires some pretty hacky things and requires the application to have TrustPolicy full security settings.

Is there any other way to achieve this?

+3
source share
2 answers

This seems to work:

Session.Abandon(); Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));

By clearing this cookie, a new session will be created on the server with a new session identifier.

(Link: Microsoft Support )

EDIT: Here's an example of using AJAX (with jQuery) to invoke server code without refreshing the page - it calls twice, once to delete the first session, and once to create a new one. Maybe the best way, but it works.

 function newSession() { jQuery.ajax({ type: "POST", url: "WebForm1.aspx/ClearSession", data: "{}", dataType: "json", contentType: "application/json; charset=utf-8", success: function () { jQuery.ajax({ type: "POST", url: "WebForm1.aspx/NewSession", data: "{}", dataType: "json", contentType: "application/json; charset=utf-8", success: function () { console.log("Success!"); }, error: function (x, y, z) { console.log("Failure!"); } }); }, error: function (x, y, z) { console.log("Failure!"); } }); }

And by code (for WebForms - you can also do this using the MVC controller):

 [WebMethod] public static void ClearSession() { HttpContext.Current.Session.Abandon(); HttpContext.Current.Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", "")); } [WebMethod] public static void NewSession() { HttpContext.Current.Session["x"] = 123; }
+3
source

I am currently considering a solution based on configuration, not code based. I would set up either a web server or a load balancer to cancel the request and response headers containing cookies for the login page only. Remove the cookie headers for the request headers and the set-cookie for the response headers.

Each request (GET or POST) to the login page does not contain information about cookies, thereby forcing ASP.NET to create a new session and, more importantly, a new session identifier.

This is less effective than forcing a session at login, but this method can be useful in cases where you cannot change the code.

0
source

Source: https://habr.com/ru/post/949021/

More articles:


All Articles