Reusing session identifier

Question

hello

A) I assume Asp.Net allows you to reuse session identifier only if we operate in cookieless mode, but not if we use cookies to store session ID?

B) From my book:

By default, ASP.NET allows you to reuse a session identifier. For example, if you make a request and your query string contains an expired session, ASP.NET creates a new session and uses that session ID. The problem is that a session ID might inadvertently appear in a public place - such as in a results page in a search engine. This could lead to multiple users accessing the server with the same session identifier and then all joining the same session with the same shared data.”

I’m not sure I understand how reusing session identifier could cause session ID to appear in a results page in a search engine?

C) Continuing:

To avoid this potential security risk, it’s recommended that you include the optional regenerateExpiredSessionId attribute and set it to true whenever you use cookieless sessions. This way, a new session ID will be issued if a user connects with an expired session ID. The only drawback is that this process also forces the current page to lose all view state and form data, because ASP.NET performs a redirect to make sure the browser has a new session identifier.

Why needs Asp.Net to perform a redirect to make sure browser has a new session identifier? Couldn’t it just extract session ID from the URL and throw it away?

Thank you

Answer 1

A) No. When using cookie-based sessions, if a client sends an invalid session ID (from a stale cookie for example), the server will reject the ID, generate a new ID and send that value back in the cookie with the response.

B) When using cookie-less sessions, it's quite possible that a search engine could index a page with the session ID implanted in the URL. In this case, should a user click on the link from the search engine (and regenerateExpiredSessionid was 'true'), a new session would be created using the same ID. Subsequent users would also re-use the same ID should they click the link and if multiple users are browsing at the same time using the same ID, they would be overwriting each other's session values with each request.

C) The redirect is performed to ensure that the client received the new session id value and properly sends it back with the follow-up request. It's just a double-confirmation that occurs.

Answer 2

A) No. When using cookie-based sessions, if a client sends an invalid session ID (from a stale cookie for example), the server will reject the ID, generate a new ID and send that value back in the cookie with the response.

Just to be sure I understand what you are saying:

• When session is cookie-based and if you make a request, but your cookie contains a session Id of an already expired session, then server will generate a new ID?

• But if session is cookieless ( thus ID is contained in URL ), then by default Asp.Net will create new session using that same ID?

C) The redirect is performed to ensure that the client received the new session id value and properly sends it back with the follow-up request. It's just a double-confirmation that occurs.

But why doesn’t it instead just put new Session ID in a URL and send it back. There must be a reason why this wouldn’t work and thus redirect is needed?!