views:

809

answers:

2

It is my understanding, according to the MSDN, that regenerateExpiredSessionId="true" specifies that the session ID will be reissued when an expired session ID is specified by the client. However, this does not seem to be working as described.

Let's say you have an application configured as follows:

<sessionState 
     cookieless="AutoDetect" 
     regenerateExpiredSessionId="true" />

And somewhere else, you have a link to a page in that application in which an expired session ID is embedded:

<p><a href="http://localhost/SessionStateTest/(S(3gxng155isp0ocvhveoklnqe))/Default.aspx"&gt;Here is a link!</a></p>

If a browser in which cookies are not enabled clicks on that link, the session ID is not reissued. It is recycling the expired ID from the URL and creating the new session with this old ID.

Of course, if several no-cookie browsers click on the link simultaneously, they ALL share that same expired session ID, which is obviously a security issue.

Isn't regenerateExpiredSessionId="true" supposed to prevent users from inadvertently sharing the same session state? If so, why isn't the framework generating new session IDs as expected in this case?

A: 

Hi,

Are you sure your session is actually expiring ?

If you are using Forms authentication, its ticket can expire at different time than the session. (gets more confusing when you throw sliding expiration into the mix)

To check with cookieless enabled just look at the url when you think the session has expired... if the second part of the url ticket "F(xydUI....)" changes when you login again but the "S(dysXy...)" stays the same you know your session is just getting renewed and hasn't fully expired.

Hope this helps

Element
A: 

Yeah, I'm sure.

First of all, there is no authentication involved here, Forms or otherwise.

Second, the expired session is embedded in a link that is totally separate from the application, and that was generated weeks ago (on a different machine, no less). Can't get much more expired than that.

MissingLinq