C# MVC Application - Change Session ID without losing session data

Question

I'm trying to solve a problem related to Session Fixation in a MVC 4 application (https://www.owasp.org/index.php/Session_fixation).

When user enters the login page whe clear all session and session related cookies. Code:

    Session.Clear();
    Session.Abandon();
    Session.RemoveAll();

    if (Request.Cookies["ASP.NET_SessionId"] != null)
    {
        Response.Cookies["ASP.NET_SessionId"].Value = string.Empty;
        Response.Cookies["ASP.NET_SessionId"].Expires = DateTime.Now.AddMonths(-20);
    }

The application's login page asks for user's credentials and a captcha. When user hits the login button we send an ajax request. Code:

    @using (Ajax.BeginForm("Autenticar", "Login", null, new AjaxOptions { OnComplete = "OnComplete", OnBegin = "OnBegin", OnSuccess = "OnSuccess", OnFailure = "OnFailure" }, new { @class = "Exception" }))
    {
        <fieldset>
            <legend>Login Form</legend>
            all form inputs
        </fieldset>
    }

We need to change the Session.SessionID information at this moment, preventing a session been fixated before. The problem is all the user information saved at Session["UserInfo"] are lost when regenerating SessionID.

I tried creating a new session or changing the current session ID like suggested in this blog post (http://weblogs.asp.net/anasghanem/archive/2008/12/16/programmatically-changing-the-session-id.aspx):

        SessionIDManager Manager = new SessionIDManager();

        string NewID = Manager.CreateSessionID(Context);
        string OldID = Context.Session.SessionID;
        bool redirected = false;
        bool IsAdded = false;
        Manager.SaveSessionID(Context, NewID,out redirected, out IsAdded);

Can anyone handle me some useful info to save the data in the new SessionID?

Thanks.

Answer 1

The answer is that you should save any data to the database prior to doing this. You should really not be using Session for anything that can't be regenerated from the database anyways, since IIS can kill your session at any time, for any reason (or no reason). Session is a temporary storage mechanism only.