开发者

Regenerate SessionID in ASP.NET

开发者 https://www.devze.com 2023-02-20 21:29 出处:网络
Please suggest how to regenerate a new Session ID in ASP.NET. If we are using SessionM开发者_开发问答anager to generate a new id then it doesn\'t change the value of Session.SessionID. Please suggest
相关专题:asp.net

Please suggest how to regenerate a new Session ID in ASP.NET. If we are using SessionM开发者_开发问答anager to generate a new id then it doesn't change the value of Session.SessionID. Please suggest how this can be achieved. Basically I want to have a new Session.SessionID after abandoning Session or generating NewID with SessionManager.

Thanks

Take a look onto SessionIDManager.SaveSessionID method, it saves a newly created session identifier to the HTTP response.:

SessionIDManager manager = new SessionIDManager();
var newId = manager.CreateSessionID(Context);
var isRedirected = false;
var isAdded = false;
manager.SaveSessionID(Current, newId, out isRedirected, out isAdded);


//Regenerate new Session ID after login
private void RegenerateSessionId()
{
    System.Web.SessionState.SessionIDManager manager = new System.Web.SessionState.SessionIDManager();
    string oldId = manager.GetSessionID(Context);
    string newId = manager.CreateSessionID(Context);
    bool isAdd = false, isRedir = false;
    manager.SaveSessionID(Context, newId, out isRedir, out isAdd);
    HttpApplication ctx = (HttpApplication)HttpContext.Current.ApplicationInstance;
    HttpModuleCollection mods = ctx.Modules;
    System.Web.SessionState.SessionStateModule ssm = (SessionStateModule)mods.Get("Session");
    System.Reflection.FieldInfo[] fields = ssm.GetType().GetFields(BindingFlags.NonPublic | BindingFlags.Instance);
    SessionStateStoreProviderBase store = null;
    System.Reflection.FieldInfo rqIdField = null, rqLockIdField = null, rqStateNotFoundField = null;
    foreach (System.Reflection.FieldInfo field in fields)
    {
        if (field.Name.Equals("_store")) store = (SessionStateStoreProviderBase)field.GetValue(ssm);
        if (field.Name.Equals("_rqId")) rqIdField = field;
        if (field.Name.Equals("_rqLockId")) rqLockIdField = field;
        if (field.Name.Equals("_rqSessionStateNotFound")) rqStateNotFoundField = field;
    }
    object lockId = rqLockIdField.GetValue(ssm);
    if ((lockId != null) && (oldId != null)) store.ReleaseItemExclusive(Context, oldId, lockId);
    rqStateNotFoundField.SetValue(ssm, true);
    rqIdField.SetValue(ssm, newId);
}
                //get sessionId
            string SessionId = HttpContext.Current.Session.SessionID; //new System.Web.SessionState.SessionIDManager().GetSessionID(Context);

We used Alex's solution but initially it did not work, the original sessionID returned and the newly generated sessionID was ignored. We tried a bunch of approaches and in the end what worked was to ensure the sessionID regeneration step sits outside any login step and that there is a redirect between steps. First we destroy the session cookie, then we recreate a new sessionID and lastly we redirect to the login page. The redirect before any log in is the critical step:

 //delete session cookie
 Session.Abandon();
 Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));

 //create new sessionID
 SessionIDManager manager = new SessionIDManager();
 manager.RemoveSessionID(System.Web.HttpContext.Current);
 var newId = manager.CreateSessionID(System.Web.HttpContext.Current);
 var isRedirected = true;
 var isAdded = true;
 manager.SaveSessionID(System.Web.HttpContext.Current, newId, out isRedirected, out isAdded);

 //redirect so that the response.cookies call above actually enacts
 Response.Redirect("/account/logon");

The trick is to set any value in this.Session before redirecting, otherwise the "empty and therefor unusable session" will be recycled.

The example code below is the condensed version of some helper functions I'm using to share some session-related info across domains. First a server-to-server call is made to set up the session id; second the user's browser is redirected to a page that will set the session id and redirect to the front page (or somewhere more relevant).

private static string CreateSessionId(HttpContext httpContext)
{
    var manager = new SessionIDManager();

    string newSessionId = manager.CreateSessionID(httpContext);

    return newSessionId;
}

public static void SetSessionId(HttpContext httpContext, string newSessionId, string redirect)
{
    var manager = new SessionIDManager();

    bool redirected;
    bool cookieAdded;

    manager.SaveSessionID(httpContext, newSessionId, out redirected, out cookieAdded);

    // Just write anything to the session, so it isn't abandoned
    httpContext.Session["WriteAnythingToTheSession"] = "Ok boss, consider it done!";

    httpContext.Response.Redirect(redirect, true);
}

The above was tested by setting the session id late in the normal page cycle, in Page_Load. Might work differently if implemented in an HttpHandler or something like it. Also, this was implemented in a legacy ASP.NET 2.0 application and tested locally on IIS Express - your mileage may vary.

I thing, we need to make in this order:

  1. Generate a new SessionId with the SessionIdManager
  2. Save this new SessionId
  3. Set all variables attached to old session, to new session. Otherwise the session variables will be null in the new sessio

//Regenerate new Session ID after login
private void RegenerateSessionId()
{
    System.Web.SessionState.SessionIDManager manager = new System.Web.SessionState.SessionIDManager();
    string oldId = manager.GetSessionID(Context);
    string newId = manager.CreateSessionID(Context);
    bool isAdd = false, isRedir = false;
    manager.SaveSessionID(Context, newId, out isRedir, out isAdd);
    HttpApplication ctx = (HttpApplication)HttpContext.Current.ApplicationInstance;
    HttpModuleCollection mods = ctx.Modules;
    System.Web.SessionState.SessionStateModule ssm = (SessionStateModule)mods.Get("Session");
    System.Reflection.FieldInfo[] fields = ssm.GetType().GetFields(BindingFlags.NonPublic | BindingFlags.Instance);
    SessionStateStoreProviderBase store = null;
    System.Reflection.FieldInfo rqIdField = null, rqLockIdField = null, rqStateNotFoundField = null;
    foreach (System.Reflection.FieldInfo field in fields)
    {
        if (field.Name.Equals("_store")) store = (SessionStateStoreProviderBase)field.GetValue(ssm);
        if (field.Name.Equals("_rqId")) rqIdField = field;
        if (field.Name.Equals("_rqLockId")) rqLockIdField = field;
        if (field.Name.Equals("_rqSessionStateNotFound")) rqStateNotFoundField = field;
    }
    object lockId = rqLockIdField.GetValue(ssm);
    if ((lockId != null) && (oldId != null)) store.ReleaseItemExclusive(Context, oldId, lockId);
    rqStateNotFoundField.SetValue(ssm, true);
    rqIdField.SetValue(ssm, newId);
}

I tried adding this function and then calling it immediately done login, and it works for me.

Sources:

  • https://ujjwaladatta.wordpress.com/2016/11/23/regenerating-sessionid-in-asp-net/
  • https://thedotnetlight.wordpress.com/2020/07/03/regenerate-new-session-id-after-login/
0

上一篇:

:下一篇

更多 问答 相关资讯:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

关注公众号

热门标签

图文推荐

Delphi - Custom drawing a message list

Delphi - Custom drawing a message list
C++ header-only include pattern

C++ header-only include pattern
IE7 Margin Collapses Into Padding

IE7 Margin Collapses Into Padding
in CoffeeScript, how can I use a variable as a key in a hash?

in CoffeeScript, how can I use a variable as a key in a hash?
Interactive visualization of a graph in python [closed]

Interactive visualization of a graph in python [closed]
How to customise PHP MYSQL tables?

How to customise PHP MYSQL tables?
High quality, simple random password generator

High quality, simple random password generator
Image Recognition ApI in android

Image Recognition ApI in android

开发者开发者网给大家分享系统运维,大数据运维,云计算,编程开发技巧,路由交换,运维和开发相关的资讯及技术文章,同时StackOverflow中文社区,知识经验交流分享。

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,如存在版权或非法内容,欢迎举报,我们将尽快予以删除。邮箱:devze@qq.com

Copyright © 2018-2020 开发者. All rights reserved. Powered by 开发者ICP备案号: 京ICP备10032868号-9