<< JavaScript code minimizer (not obfuscator!) | Home | WPF: Inheriting from custom class instead of Window >>

Another breaking change in ASP.NET 2.0: Session.SessionID

I only recently became aware of another breaking change in ASP.NET 2.0: In order to optimize session state management, some changes have been implemented. One of the most puzzling ones when you're not aware of it can be reproduced as follows:
  • In ASP.NET 1.1, create a new web application.
  • Add a label to the page, name it lblSessionID.
<asp:Label Runat="server" ID="lblSessionID" />
  • In the code behind, add the following code in the "Page_Load" method:
protected void Page_Load(object sender, EventArgs e) { lblSessionID.Text = this.Session.SessionID; }
  • Load the page in the web browser. Press F5 as many times as you like, and the SessionID remains the same.
This behaviour is expected, and my guess is that quite a few applications rely on the SessionID being consistent on every page refresh.
However, in ASP.NET 2.0, the behaviour is different, which may cause applications to break: If you create a new website (or a new web application) and reproduce all the steps above, the SessionID will be different on every refresh of the page. The reason is found in MSDN:
"When using cookie-based session state, ASP.NET does not allocate storage for session data until the Session object is used. As a result, a new session ID is generated for each page request until the session object is accessed. If your application requires a static session ID for the entire session, you can either implement the Session_Start method in the application's Global.asax file and store data in the Session object to fix the session ID, or you can use code in another part of your application to explicitly store data in the Session object."
Since cookie-based session state is the default, this change of behaviour will affect existing web applications relying on the SessionID to identify the current user without having previously stored data in the Session object.
Here is a possible fix:
protected void Page_Load(object sender, EventArgs e) { if ( this.Session[ "dummy" ] == null ) { this.Session[ "dummy" ] = 1; } lblSessionID.Text = this.Session.SessionID; }
Not very elegant, and I can't say that I totally understand the reason why the ASP.NET team doesn't offer a better way to keep the SessionID consistent all the time, even when nothing is stored in the Session object. Anyway, this has caused me a few headaches, so hopefully this article will help other developers.
Print | posted on Sunday, February 25, 2007 2:51 PM

Feedback

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by LRK at 3/22/2007 10:22 PM Gravatar
Thanks for posting this. I've been trying for nearly two hours to figure out what changed from 1.1 to 2.0. MSDN doesn't make it obvious at all.

Regards,
LRK

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Techno Pig at 3/30/2007 2:51 PM Gravatar
Useful info and necessary for some of us working with complex sites with series of integrated forms.

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Dilip Namdeo at 5/8/2007 11:03 PM Gravatar
Thx...It's really nice article...

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Ajith Kumar A.J at 5/20/2007 9:42 PM Gravatar
Thanks, for the comments. It helped a lot. I have wasted a week to find a solution for that. Great Work !!!!

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Tarique at 5/30/2007 10:17 AM Gravatar
Just one quick question.

When using session state with cookie, the sessionID is stored as a non-persistent cookie on the client side. And as soon as the browser closes, the Session ID cookie is destroyed, right ?

Thanks,

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Laurent at 5/30/2007 5:56 PM Gravatar
Hi,

Yes, it's correct. However it doesn't mean that the session on the server expires immediately. If the session is not abandoned explicitly, it will expire (and the corresponding object in memory will be deleted) only after a timeout, which you can set in the web.config file (default 20 minutes).

Also, note that the session ID cookie is linked to the process on the client. Firefox runs only one process, always. So if you have multiple windows, they all run in the same process, and they all have the same session ID. For IE however, multiple processes are possible (you can have more than one IEXPLORE.EXE in the Task manager). So there is a different session ID for each instance of IEXPLORE.EXE. Multiple windows can run in one instance of this process, so these windows will have the same session ID. It's a bit confusing, I know...

HTH,
Laurent

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Hannes Calitz at 9/27/2007 2:11 AM Gravatar
Thank you sooooooooooo much. I have been struggling with this problem for a few hours now.

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Sawan at 1/2/2008 7:51 PM Gravatar
Hi,

I try many State Management Tech. in My project but i use ohter with sessionID that create prob. to me. but when i use session object it works fine .

I got your point ...
So thanks for help dev...

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Russell at 1/9/2008 10:32 PM Gravatar
holy shit....lots of hugs & kisses (not in a gay way) ....... yr solution rocks man!

# Sessionid for two tabs of same site in Firefox.

left by ashish at 2/10/2008 7:11 PM Gravatar
Need to create different Sessionid for two tabs of same site in Firefox.

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Laurent at 2/15/2008 11:46 PM Gravatar
Hi,

Session ID is per browser process instance. Since Firefox allows only one instance of the process, you cannot have multiple session IDs. Each window (and by extension each tab) running in the same process will automatically have the same session ID.

If you want a different ID, you'll have to resort to tricks. For example, have JavaScript initialize a variable based on the date/time at which the current page was loaded in the tab. Then, the new "fake" session ID becomes:

[real session ID]-[ticks]

You must make sure that the "fake" session ID is preserved over postbacks. It's quite some work, but doable.

HTH,
Laurent

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by TK at 4/1/2008 10:02 PM Gravatar
Hey.. Thank you so much for this post.. It really helped me to manage my web application..

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Laurent at 4/1/2008 10:28 PM Gravatar
Hi TK,

Glad to help. Happy coding.

Laurent

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by siddharth at 4/15/2008 2:35 PM Gravatar
Hi,
I want to abandon session when tab of the browser closed so please tell me how i do this means get that tab closed and fire Session.Abandon

thanks
Siddharth

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Laurent at 4/16/2008 6:06 PM Gravatar
Hi,

There is no reliable way to do that, because the browser doesn't really have a reliable event. The way you can do is set the session to live for a very short time (1 minute), and then to use a web service to constantly "kick" the session and keep it alive (for example sending a very short message every 30 seconds). ASMX content is dynamic, so this will keep the session alive. Then when the heartbeat stops, the session will just expire.

HTH,
Laurent

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by a h at 5/5/2008 7:35 PM Gravatar
This may have to do with improving security. Remember the hijaking of session id issue?

A user may browse the unsecured pages of say amazon.com and then decides to buy something at which point he is redirected to a secured page. If amazon cleverly starts the session only after the ssl has been established, it would be imposible for a hijaker to know the session id.

In this case this change of 2.0 is more than welcomed.

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Ramesh at 5/8/2008 8:13 AM Gravatar
Nice article and a very good and simple example.....
Its very nice

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Laurent at 5/8/2008 8:52 AM Gravatar
Thanks Ramesh,

Interestingly, it's the only one of my "older" articles that still gets comments regularly :) Happy to help!

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by jayesh at 5/22/2008 12:45 AM Gravatar
when i used session.sessionid so it will give's me different sessionid at every times in Asp.net with AJAX so any one can help me for this problem

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Juan Romero at 5/22/2008 3:41 PM Gravatar
Thanks a lot man. We are making the move to .NET 2.0 and I have been going crazy with the damn session id changing every time. You saved me a lot of headache. Thanks again!

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Laurent at 5/22/2008 4:01 PM Gravatar
Hi Juan,

You welcome, I am really happy that it helped.

Happy coding,
Laurent

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Laurent at 6/5/2008 8:50 AM Gravatar
Jack,

The session is linked to a cookie. Since Firefox forces all windows to run in the same process, all the windows will automatically share the same session ID (yes it's annoying, but that's Firefox policy). Every time that you use any Firefox window to access your ASP.NET application, the session will be extended. If you want it to expire, you must close Firefox completely (each window). For security, I would also check that the firefox process is really dead (I had issues with that in the past).

Greetings,
Laurent

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Adlin at 6/9/2008 5:45 PM Gravatar
Hi,

Even In IE, if you open two instance of IE by clicking an url from word or outlook its getting opened under the same sessionid. Any work around or solution would be really appreciated. Thanks in advance.
Mode -- > [cookieless="false"] and its Ajax enabled.
Regards,
Adlin.

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Laurent at 6/9/2008 9:37 PM Gravatar
Hi Adlin,

In the contrary to Firefox, IE has two ways to handle new windows:

- If you have an instance of IE open, and click on a link or a bookmark, the window will be open in the same process, thus the SessionID will be the same.

- If you explicitly start a new instance of IExplore.exe (for example by a double-click on the "IE" shortcut on your desktop), then the SessionID will be different.

The second possibility is not available in Firefox.

HTH,
Laurent

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Adlin at 6/10/2008 6:59 AM Gravatar
Hi Laurent,

I really appreciate the immediate feedback you have given for my query. Sorry to bother you again, still I've some doubts on the same. IE generates different SessionId in the below conditions.

1. cookieless="true".
2. Clicking a link in word document or outlook.

As per your first explanation, it should generate the same sessionID for the second instance right? Please clarify me if I am not in sync with your explanation.

Best Regards,
Adlin


# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Laurent at 6/10/2008 10:08 AM Gravatar
Hi Adlin,

I cannot test right now, but I suspect that clicking a link in a word document or outlook actually starts a new instance of the process. You can check it in the process explorer (in task manager). If you see one IExplore.exe before you click on the link, and 2 IExplore.exe after, then the sessionID will be different.

When I talked about "link" in my reply, I actually meant a link in a HTML page running in IE. For example, if you right click and select "open in new window", or if the link has target="_blank".

Another possible explanation is what I describe in this article: If you don't explicitly save something in the session, the sessionID will be different each time you reload the page.

HTH,
Laurent

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Amruth at 7/18/2008 9:39 AM Gravatar
Hi Laurent

I have an instance of IE open, and click on a link or button, will open a new window.
Each of these windows should have unique identifiers which can be used as part of a key to load data into session.

Can the unique value be a Session Id.
My understanding from the article above is that Session Id cannot be unique since the new window is truly not a new instance of IExplore.exe.

Is there an alternative way for me to create unique keys for each IE window while running in the same process.
Please help.

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Laurent at 7/19/2008 8:12 AM Gravatar
Hi Amruth,

No, the SessionID is linked to the process, not to the window. Like I wrote before, if you open a window through a link, the process remains the same, so both windows have the same SessionID.

You can however implement an ID store in JavaScript, and have it pass unique IDs to the window. A typical unique ID can be composed of the SessionID and of the ticks at the time of opening the new window.

Greetings,
Laurent

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Peter Pan at 8/8/2008 12:23 AM Gravatar
Thanks lauri,
You are now my favourite blogger ;-) You should wear one of those MVP caps dude

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Another friend at 8/8/2008 12:32 AM Gravatar
Hey,

My question is inverse. How can I get a new session ID after the session expires?

Session end event fires, session values disappear but still the same session id persisits. How to instruct asp.net to give the browser a new cookie without reopening in a new browser?

Thanks

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by vinod at 8/27/2008 9:48 AM Gravatar
can i set expiry time for session id cookie ?
where i have to set cookie expiry time?
how ?

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Rick Holc at 8/28/2008 4:54 PM Gravatar
I just tried a similar solution using global.asax. I created a blank global.asax file in Visual Studio. This file contains subroutines for Session_Start and Session_End that do not contain any code. I did not add any code to the subs but placed the file in my application and the SessionID problem went away. I now have a valid ID on each post back and refresh. I guess the existance of the Session_Start subroutine is all it takes to initialize the Session state and maintain it. Anyone have any other ideas why this is working?

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Jeremy at 10/28/2008 3:06 PM Gravatar
I have been troubleshooting an issue with my session id changing when i click a specific link in my application. My Session_Start event has code to set teh cookie path to the application rather than the root website...

Sub Session_Start(ByVal sender As Object, ByVal e As EventArgs)
' Fires when the session is started
' When multiple web sites are hosted in virtual directories, the ASP.NET_SessionId cookie has
' a default path of "/" which means that the browser will send it to ALL virtual directories
' hosted in the same IIS site. One way to solve this is to adjust the cookie created by ASP.Net
' to set the path to the virtual directory for the particular application. Then the browser
' will not send it to other virtual directories. The cookie can be adjusted in the Global.asax file.

'Adjusting the path of the ASP.NET_SessionId cookie:
Dim oCookie As HttpCookie = Response.Cookies("ASP.NET_SessionId")

If Not oCookie Is Nothing Then
oCookie.Path = Request.ApplicationPath.ToLower()
End If


End Sub

I debugged for hours and couldn't figure out why a new session was being created. The only difference I could find was that I was specifying the path in two different cases. For example, if I used "appname/page.aspx" the session id stayed the same. Then when I clicked on the link "AppName/page.aspx", that is when I was getting a new session. I have removed the Session_Start code that sets the cookie path, and now my session id stays consistent regardless of the case of the appname.

Not sure if this will help anyone, but I thought I would throw it out there to see if anyone had any experience with this.

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Mr. Privates at 11/29/2008 1:14 AM Gravatar
Thanks, man... I knew something funny was going on; your article allowed me to stop scratching my head and go back to scratching other places. Mr. Privates.

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Laurent at 11/29/2008 10:15 AM Gravatar
Happy to help. I am glad to contribute to your scratching activities ;)

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by priya at 1/6/2009 10:22 AM Gravatar
Hi,

I have session add in Asp.net class file.
but not get in .aspx.vb page.

Thanks

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by priya at 1/6/2009 10:27 AM Gravatar
Hi,

I have session add in Asp.net class file.
but not get in .aspx.vb page.

This problem in firefox only but IE worked fine.

Thanks

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by sangam at 1/7/2009 5:31 AM Gravatar
Hi, I read through all the comments. But didn't find the one that explains how to restore session in different browsers. Say, between firefox and IE. I am using sql server mode of session, and the cookieeless is false. Actually, user can shop in my website and to place the order he may have to register to the site. Then he will get the email confirmation link. After clicking the link, either IE or firefox or any default browser may open. But i wish to restore the previous session in the currently opened browser. Although i am using sql server mode (with cookies enabled, because i can not use cookieeless mode, this is requirement [because it displays the sesson id in the url]), the functionality is not achieved. What can i do? Please help.

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Laurent at 1/7/2009 1:31 PM Gravatar
Hi Sangam,

No, a session is linked to the browser (in fact, linked to the process, so if you run two separate instances of IE (to IEXPLORE.EXE processes), you will have two different session IDs.

If you want to have the same session in multiple browsers, you need to come up with a mechanism yourself, for example using a login ID.

Cheers,
Laurent

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Laurent at 1/14/2009 10:23 AM Gravatar
Yes it is normal, as mentioned a few times the Session ID is linked to the process. If you don;t restart the process on the client, the same session ID will be used.

If you don't want this mechanism, you have to come up with a different type of session handling.

Cheers,
Laurent

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Saravanan Somasundaram at 1/29/2009 7:05 AM Gravatar
Hey.. Thank you so much for this post.. It really helped me to manage my web application..

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Mukkesh at 2/11/2009 10:12 PM Gravatar
Hi Laurent,

I saw your blog where you are suggesting a tick in javascript and pass to page. So In Firefox also we can save the problem.

Do you have any sample for that. I am scratching my head.

Regards

Mukkesh

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by anshuman singh at 2/25/2009 6:11 AM Gravatar
does asp.net 3.5 have some thing more in session stuff i.e. either in Session.SessionID or simple session objects.

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by anshuman singh at 2/25/2009 6:28 AM Gravatar
also i wanted to ask one thing. session id are always unique or they are also repeated. suppose a user enter in a website he will star some sessionid but is it possible that if he closes the browser and opens again will he get the same session id .
mind it i am not using cookies.(because cookies can again restore same sessionid)

Regards

Anshuman Singh

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by granit at 3/14/2009 7:43 PM Gravatar
Thank You...

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Neeraj Verma at 3/21/2009 12:33 AM Gravatar
hey laurent,how're u buddy,i've some problem hope u could solve it,i don't want to close the browser n also i want to create a new session id after i log out from a page,pls help,my project is on a halt due to this problem..

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Edencity Chat at 5/23/2009 2:54 AM Gravatar
Thank You Admin

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Iceman at 5/27/2009 2:06 PM Gravatar
Hey Neeraj Verma,
to get a new SessionID on a ReLogin you can put this code in your logout method:
Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));

It will destroy the Session Cookie.

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by steven at 6/2/2009 10:47 PM Gravatar
Thank you for posting this. even 2 years later this article is still helping. I love the new "Features" of microsoft.

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by gabriel at 6/28/2009 12:54 PM Gravatar
thank you!!

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by nirc at 8/14/2009 10:11 PM Gravatar
tqvm mr Iceman. very helpful. thumbs-up

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by TJ Ekleburg at 10/5/2009 3:58 AM Gravatar
Thank you very much for this tip. Like many others, I spent a good hour trying to find out why it wouldn't stay! Thank you very much! Will visit your blog very often!

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by ventoshe at 10/21/2009 8:31 PM Gravatar
Thanks! Your post has saved me too a lot of head ache...

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Punit Singhi at 1/18/2010 12:17 AM Gravatar
Thanks for such a good article, wasted so many hours to find out the reason, now i have a doubt is when I store some value in session object and specify timeout period as 1 min ,session doesn't get expire after 1 min ,can u tell me why is it so?

#  fix sessionid in asp.net with c# (session fixation)

left by Sudhir at 2/25/2010 11:46 PM Gravatar
HOW to fix session.sessionid in asp.net

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by pandian at 4/6/2010 9:36 PM Gravatar
It really works for me.

Thanks a lot.

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Indranil Mutsuddy at 4/19/2010 7:39 AM Gravatar
Hello
i have a login page so once the user enters the correct details he enters into the home page. Now i want to implement 2 things
1. once he clicks the button 'log out' he must be redirected to a page saying" logged out successfully " n even if clicks the back button in the browser, he should not be able to access.

2. if the user leaves the homepage idle for a specific amount of time say 10minutes and then he tries to navigate after 10 mins a msg should display saying "Your Session has been expired login again"
3. if given the url of homepage he shouldnt be able to access unless logged in.
I am not sure about what exactly i need to do and how to do the.
My final sem project is at stake.Plz help Mr. Laurent
Regards
Indranil Mutsuddy

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Laurent at 4/19/2010 8:12 AM Gravatar
Hi,

Please use StackOverflow (stackoverflow.com) for this kind of questions.

Thanks,
Laurent

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Indranil Mutsuddy at 4/19/2010 6:29 PM Gravatar
thanks for the suggestion.
But if you could plz tel the concept i need to use jus a brief description. As i already said i am in a bit hurry, so please dont mind Mr Bugnion
Thanks in advance

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Indranil Mutsuddy at 4/19/2010 7:20 PM Gravatar
hey i got the concept ..just 1 last question
How to do this "after logOut" when back button is clicked a message should appear saying "your session has expired" a

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Indranil Mutsuddy at 4/20/2010 7:19 AM Gravatar
http://www.4shared.com/file/ahtJUNN3/MyModifiedDesign20Apr.html

Thats my project plz have a look ..I need to implement the sessions and evrything there
Thanks alot for all u have done.
n thanks in advance.

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Laurent at 4/20/2010 7:52 AM Gravatar
You don't understand, I cannot answer your question. Apart from the fact that I do not have time to make your homeworks, I stopped doing ASP.NET long time ago, and I don't know the answer to the question.

I reiterate: Use StackOverflow for this kind of questions. In the time it took you to write to me 3 times, you would have an answer already.

Greetings,
Laurent

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Indranil Mutsuddy at 4/20/2010 3:42 PM Gravatar
sorry for bothering you.
I understand.. and yea Stack OverFlow is helpful
Thx again

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Indranil Mutsuddy at 4/22/2010 4:45 AM Gravatar
PROBLEM SOLVED!!!
tnx

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Ashok Salve at 4/23/2010 12:50 AM Gravatar
if (!IsPostBack && (Request.Cookies["__LOGINCOOKIE__"] == null || Request.Cookies["__LOGINCOOKIE__"].Value == ""))
{
//At this point, we do not know if the session ID that we have is a new
//session ID or if the session ID was passed by the client.
//Update the session ID.

Session.Abandon();
Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));

//To make sure that the client clears the session ID cookie, respond to the client to tell
//it that we have responded. To do this, set another cookie.
AddRedirCookie();
Response.Redirect(Request.Path);
}

//Make sure that someone is not trying to spoof.2

try
{
FormsAuthenticationTicket ticket =
FormsAuthentication.Decrypt(Request.Cookies["__LOGINCOOKIE__"].Value);

if (ticket == null || ticket.Expired == true)
throw new Exception();

RemoveRedirCookie();
}
catch
{
//If someone is trying to spoof, do it again.
AddRedirCookie();
Response.Redirect(Request.Path);
}


Response.Write("Session.SessionID=" + Session.SessionID + "<br/>");
Response.Write("Cookie ASP.NET_SessionId=" + Request.Cookies["ASP.NET_SessionId"].Value + "<br/>");


i am using the above code to create new session id on every login. but line ticket.Expired == true is always return true please help.
what should i do to create new session id on every login.
Thanks in advance

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Indranil Mutsuddy at 4/26/2010 8:11 AM Gravatar
Submit ur queries regarding stuff like this to stackoverflow.com and dont bother Mr.Bugnion.

This site helped me a lot
Thax to Mr Bugnion again.

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Laurent at 4/26/2010 9:55 AM Gravatar
Hi,

Just to be clear, questions are (mostly ;)) not a bother and I enjoy answering them when I can. However, I stopped working in ASP.NET quite some time ago, and am not up to date with the latest developments.

The advice to go to StackOverflow.com is a good one!

Cheers,
Laurent

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Snap D at 3/1/2011 7:56 AM Gravatar
Its a really good article and good conceptually explained up. Thanks to author.
SnapDeveloper.in

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by LGandhi at 3/3/2011 6:27 PM Gravatar
Hi,
I am facing a problem in my website, I am getting same sessionId for all new instances of browser dont know why, needs help .....

Regards,
LG

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Hiranya Patel at 8/18/2011 8:14 AM Gravatar
Hi,
I was facing the same issue of new session ID on each request. I tried this workaround but I still get new session ID for each request? Any idea?
I have WSS 3.0 deployed on Windows 2008 R2 (64-bit) with in-build IIS. I have custom ASPX pages which are page of WSS 3.0.
Thanks in advance.
Hiranya

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by nilesh singh at 3/14/2012 7:00 PM Gravatar
Hi
i have one question session has been store on clients side on cookies if cookiees is disable the session will be working or not?
Post A Comment
Title:
Name:
Email:
Website:
Comment:
Verification:
 
 
Copyright © Laurent Bugnion