tags:

views:

809

answers:

2
+2  Q: 

regenerateExpiredSessionId not working as expected

It is my understanding, according to the MSDN, that regenerateExpiredSessionId="true" specifies that the session ID will be reissued when an expired session ID is specified by the client. However, this does not seem to be working as described.

Let's say you have an application configured as follows:

<sessionState 
     cookieless="AutoDetect" 
     regenerateExpiredSessionId="true" />

And somewhere else, you have a link to a page in that application in which an expired session ID is embedded:

<p><a href="http://localhost/SessionStateTest/(S(3gxng155isp0ocvhveoklnqe))/Default.aspx"&gt;Here is a link!</a></p>

If a browser in which cookies are not enabled clicks on that link, the session ID is not reissued. It is recycling the expired ID from the URL and creating the new session with this old ID.

Of course, if several no-cookie browsers click on the link simultaneously, they ALL share that same expired session ID, which is obviously a security issue.

Isn't regenerateExpiredSessionId="true" supposed to prevent users from inadvertently sharing the same session state? If so, why isn't the framework generating new session IDs as expected in this case?

A: 

Hi,

Are you sure your session is actually expiring ?

If you are using Forms authentication, its ticket can expire at different time than the session. (gets more confusing when you throw sliding expiration into the mix)

To check with cookieless enabled just look at the url when you think the session has expired... if the second part of the url ticket "F(xydUI....)" changes when you login again but the "S(dysXy...)" stays the same you know your session is just getting renewed and hasn't fully expired.

Hope this helps

Element  2009-01-17 00:12:12
A: 

Yeah, I'm sure.

First of all, there is no authentication involved here, Forms or otherwise.

Second, the expired session is embedded in a link that is totally separate from the application, and that was generated weeks ago (on a different machine, no less). Can't get much more expired than that.

MissingLinq  2009-01-17 02:33:08

related questions

How in ASP.NET, do you deal with session and multiple tabs?
Unable to connect to SQL Server session database
Has anyone tried building an ASP.NET Session State Provider for Amazon SimpleDB?
How Do I Track and Eliminate Session Abuse?
Using Cookies for Web Session State - What are the pitfalls?
Synchronizing ASP.NET Sessions Across Multiple Sites
Different ways of storing data in session state
Why would ASP.NET MVC use session state?
Managing Session State
Find Items that are Not [Serializable]
ASP.NET Session State Migration
Is AcquireRequestState suppose to fire for ASP.NET URL Routing for IIS7?
ASP.Net: How to clear out session on log out
ASP.NET MVC Session State
ASP.NET Session/Cache + multi-core processor server
Session Timeout ASP.Net
in IIS, what's the difference between "application" and "session" ?
ASP.NET and Sessions - New Browser Instance versus New Browser Window
accessing SessionState in Global.Application_Error
Can I access session state from an HTTPModule?
Why do I lose my Session Variable in 5 minutes?
Can I abandon an InProc ASP.NET session from a session different than one making the request?
ASP.Net Session
How do I get user informations from a session id in ASP.NET ?