ASP.net MVC 5 Session is not clearing after calling Abandon()

Question

MVC noob here.

I currently have this code that fires off my HomeController when a page loads via AJAX:

namespace ETTData.Controllers
{
  public class HomeController : Controller
  {
    [HttpPost]
    public ContentResult clearSessions()
    {
        var currentSession = System.Web.HttpContext.Current.Session;

        System.Diagnostics.Debug.WriteLine("BEFORE: " + currentSession.Timeout);

        currentSession.Abandon();
        //currentSession.RemoveAll();
        //currentSession.Clear();

        System.Diagnostics.Debug.WriteLine("AFTER : " + currentSession.Timeout);

        return new ContentResult { Content = "OK", ContentType = "text/plain" };
    }
  }
}

The output of the debug.WriteLine is:

BEFORE: 35

AFTER : 35

So as you can see it has 35 on the BEFORE but also has 35 for the AFTER when it shouldnt equal anything since I used currentSession.Abandon(); prior to calling that output.

I am setting the session timeout via the Global.asax.cs file:

namespace ETTData
{
    public class MvcApplication : System.Web.HttpApplication
    {
        protected void Session_Start(Object sender, EventArgs e)
        {
            HttpContext.Current.Session.Timeout = 35;
        }
    }
}

So saying all that - I'm at a loss as to why its not clearing the session...

Answer 1

Yea that's a good one that got me too in WebForms a long time ago.

The issue is, that your session is bound to a session cookie.
The cookie is transmitted in the request and response headers, which means via the HTTP protocol. The HTTP protocol is stateless, and therefore, it can't remove a cookie until after a response has been sent.

When you call session.Abandon, the session data will be abandoned at the same time as the cookie is abandoned at the client. Which means the frameworks marks the session data as "to be cleared after the response has been sent", which is after response.end. At response.end (which will be called after ContentResult.ExecuteResult), the framework will then clear the session. Subsequently it will call the Session_End event.

Session.Clear removes items immediately, but it will not remove the session cookie - therefore it also doesn't end the session, and it will not call the Session_End event - which is because it doesn't expire the session cookie.

Think of it as async-function.
You called abandon, but it's not yet executed.
As the others told you, if you need the session cleared immediately, call session.clear after session.abandon.

But if you start another session after you called session.abandon, you'll run into a very sharp knife.

Basically, you should never use sessions.
If you want to access "session" data without a detour into the database, you should store the information in an encrypted and asymmetrically-signed cookie, which you can bind to a session-lifetime, if you want to, but you don't have to. Google JWT for more information. I would bind such data into your auth-cookie. That way, there's no need for >1 cookies. The default timeout of 20 minutes in ASP.NET is a pretty bad thing. Your session data shouldn't expire until your authentication has.

Also, be careful what you write into your session.
If you just store user information there, that's fine.
But if you store state information there, you'll have a problem, because I can open multiple tabs of your site at once, and then the state from tab2 will overwrite the state of tab1. You have ONE session per domain, not one per tab.

Answer 2

Have a look at this question to find your answer.

In Short: Session.Abandon destroys the session but doesn't clear it's values. This happens when the request ends. Session.Clear clears everything from the session but doesn't destroy it.