Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Difference with regenerateExpiredSessionId="false" and regenerateExpiredSessionId="true" .net

My understanding from

http://msdn.microsoft.com/en-us/library/system.web.configuration.sessionstatesection.regenerateexpiredsessionid.aspx

meaning of regenerateExpiredSessionId="false" was that if a session id expired it will NOT be re used if client requests an url with same id.

And mening of regenerateExpiredSessionId="true" was that if a session id expired it will be re-used (recycled) if client request an url with same id.

But when i read post at

regenerateExpiredSessionId not working as expected

it seems that i misunderstood what regenerateExpiredSessionId="true" means.

Can some one explain which is right?

like image 594
nLL Avatar asked Sep 21 '09 20:09

nLL


People also ask

What is regenerateExpiredSessionId?

"regenerateExpiredSessionId" is used to ensure that if a cookieless url is expired a new new url is created with a new session. And if the same cookieless url is being used by multiple users an the same time, they all get a new regenerated session url.

What is sessionState in web config?

The SessionStateSection class refers to the element in the Machine. config or Web. config configuration file identified by the sessionState tag.

What is IIS session state?

Session state is a means by which Internet Information Services (IIS) 7 stores information about each unique client session. For example, if your Web site has a shopping cart application, the contents of each client's shopping cart can be stored in session state.

What is session state?

Session state is an ASP.NET Core scenario for storage of user data while the user browses a web app. Session state uses a store maintained by the app to persist data across requests from a client. The session data is backed by a cache and considered ephemeral data.


2 Answers

By default, the session ID values that are used in cookieless sessions are recycled. That is, if a request is made with a session ID that has expired, a new session is started by using the SessionID value that is supplied with the request. This can result in a session unintentionally being shared when a link that contains a cookieless SessionID value is used by multiple browsers. (This can occur if the link is passed through a search engine, through an e-mail message, or through another program.) You can reduce the chance of session data being shared by configuring the application not to recycle session identifiers. To do this, set the regenerateExpiredSessionId attribute of the sessionState configuration element to true. This generates a new session ID when a cookieless session request is made with an expired session ID.

Ref: http://msdn.microsoft.com/en-us/library/ms178581.aspx

like image 132
Ashish Avatar answered Sep 22 '22 18:09

Ashish


I believe that the word "reissue" is problematic when people discuss this attribute. I have seen some posts interpret it to mean "a new session id is generated and issued to the client," and others which interpret it to mean "an expired session id is assigned to a new session and issued to the client." I believe that the msdn documentation means it in the latter sense, and that the stack overflow post you reference incorrectly interpreted it as the former.

like image 28
bluemoo Avatar answered Sep 26 '22 18:09

bluemoo