Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

In ASP.NET, when should I use Session.Clear() rather than Session.Abandon()?

Tags:

.net

asp.net

session

session-state

People also ask

What is the difference between session clear and session abandon?

Clear - Removes all keys and values from the session-state collection. Abandon - removes all the objects stored in a Session. If you do not call the Abandon method explicitly, the server removes these objects and destroys the session when the session times out.

Which method is used to clear the session values?

A PHP session can be destroyed by session_destroy() function. This function does not need any argument and a single call can destroy all the session variables. If you want to destroy a single session variable then you can use unset() function to unset a session variable.

What is session abandon ()?

The Abandon method destroys all the objects stored in a Session object and releases their resources. If you do not call the Abandon method explicitly, the server destroys these objects when the session times out.

Session.Abandon() destroys the session and the Session_OnEnd event is triggered.

Session.Clear() just removes all values (content) from the Object. The session with the same key is still alive.

So, if you use Session.Abandon(), you lose that specific session and the user will get a new session key. You could use it for example when the user logs out.

Use Session.Clear(), if you want that the user remaining in the same session (if you don't want the user to relogin for example) and reset all the session specific data.


Only using Session.Clear() when a user logs out can pose a security hole. As the session is still valid as far as the Web Server is concerned. It is then a reasonably trivial matter to sniff, and grab the session Id, and hijack that session.

For this reason, when logging a user out it would be safer and more sensible to use Session.Abandon() so that the session is destroyed, and a new session created (even though the logout UI page would be part of the new session, the new session would not have any of the users details in it and hijacking the new session would be equivalent to having a fresh session, hence it would be mute).


Session.Abandon destroys the session as stated above so you should use this when logging someone out. I think a good use of Session.Clear would be for a shopping basket on an ecommerce website. That way the basket gets cleared without logging out the user.

Related questions

Making a Simple Ajax call to controller in asp.net mvc
Wrapping synchronous code into asynchronous call
The object cannot be deleted because it was not found in the ObjectStateManager
How to get the groups of a user in Active Directory? (c#, asp.net)
How do I put hint in a asp:textbox
Getting current directory in .NET web application
How to "warm-up" Entity Framework? When does it get "cold"?
Difference between a Postback and a Callback
How do I get Gridview to render THEAD?
Convert string to List<string> in one line?
What is the difference between SessionState and ViewState?
Unable to cast object of type 'System.DBNull' to type 'System.String`
I'm lost. What happened to ASP.NET MVC 5?
Failed to serialize the response in Web API with Json
Can I incorporate both SignalR and a RESTful API?
How do you convert Html to plain text?
Receiving login prompt using integrated windows authentication
Problem in running .net framework 4.0 website on iis 7.0
How to render a DateTime in a specific format in ASP.NET MVC 3?
How do I access the ModelState from within my View (aspx page)?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!