Menu
In my ASP.NET web app I call Session.Abandon() in Page_Load(). I would expect this would abandon the session straight away and the next time I reference the HttpContext.Current.Session a new session should be created. However, putting breakpoints on the Session_End and Session_Start handlers in Global.asax indicates that these aren't called until the page has finished rendering.
So two questions:
1) Why?
2) How can I continue to use HttpContext.Current.Session within a page lifecycle once Session.Abandon() has been called.
Thanks in advance!
735
The Abandon method destroys all the objects stored in a Session object and releases their resources. If you do not call the Abandon method explicitly, the server destroys these objects when the session times out.
Abandon() destroys the session. Session. Clear() just removes all values.
The Abandon method destroys a user session. Note: When this method is called, the current Session object is not deleted until all of the script on the current page have been processed. This means that it is possible to access session variables on the same page as the call to Abandon, but not from another Web page.
http://msdn.microsoft.com/en-us/library/ms524310(v=vs.90).aspx
Look at the remarks section on the linked page. Looks like the session objects are only queued for deletion, and not deleted until the code finishes running.
91
This was my solution:
private void PurgeSession()
{
try
{
Session.Clear();
}
catch (Exception) { }
try
{
Session.Abandon();
}
catch (Exception) { }
try
{
Session.RemoveAll();
}
catch (Exception) { }
try
{
Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId")
{Expires = DateTime.Now.AddYears(-1)});
}
catch (Exception) { }
}
This is effectively the orbital bombardment option.
Some information sourced from: http://www.dotnetfunda.com/articles/article1395-how-to-avoid-the-session-fixation-vulnerability-in-aspnet-.aspx
40
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
