How to create Session Id for every Login in Asp.net MVC?
26,872
Solution 1
I got better solution to create new session id like
SessionIDManager manager = new SessionIDManager();
string newSessionId = manager.CreateSessionID(HttpContext.Current);
above code helped me.
Solution 2
Try this when you abandon session/Logout:
Session.Abandon();
Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));
By clearing out that cookie, a new session with a new session ID will be created after second login.
Related videos on Youtube
Author by
Developer
Updated on July 09, 2022Comments
-
Developer almost 2 years
I am new to MVC, I want to get new sessionId for everylogin, for that i am getting like
string sessionId=HttpContext.Current.Session.SessionID;
But, it is generating same sessionid for every login.
I have used to remove or clear session like below:
Session.Abandon(); Session.RemoveAll(); Session.Clear();
But there is no change in genereating sessionid for every login. Is there any alternative to create new sessionId for every login?
-
Ahmed ilyas almost 10 yearswhats the significations to you for getting a unique sessionID for every login? you shouldn't worry about that at all...
-
Developer almost 10 yearsfor some requirements in my project. I need to get sessionid!
-
Ahmed ilyas almost 10 yearsrequirements are terrible in such a case.... they shouldn't depend on sessionID. what exactly is the requirement? you need to correct this before moving onwards. also, take a look at this: msdn.microsoft.com/en-us/library/… and this: forums.asp.net/post/7504.aspx
-
Developer almost 10 yearsYes I do, requirement is if a user logged in with his credentials , and another user should not login until first user log out , straightly preventing multi-user login.
-
Ahmed ilyas almost 10 yearssessionID is not reliable for such a thing. you need some other means to truly determine this case. Also, read this about sessionID: forums.asp.net/post/7504.aspx - you are most likely using the same browser session to check your session id.
-
Developer almost 10 yearsis there any option to generate new sessionId for every time?
-
Ahmed ilyas almost 10 yearsNo. the ASP.NET engine does this - users should never do this for many reasons. Only other way is to download the ASP.NET MVC source code and modify it and use it to your needs. But you will be shooting yourself in the foot by doing these changes.
-
Paul T Davies over 9 years@Ahmedilyas Do you not leave the newly logged in user open to session fixation attacks? if a previous user has made a note of the session Id, they can hijack the session when the new user has logged in (assuming authentication/authorization have not been properly implemented).
-
Ahmed ilyas over 9 yearsnot sure I follow. I understand what you are saying about the session fixation attacks but don't quite understand your comment.
-
Paul T Davies over 9 years@Ahmedilyas So I am on computer A, I observer that the session ID is 1234. I go away from computer A and observer another user log into a website. I set my session ID on computer B to 1234 and go to the same website. If the website is not properly secured, I will be presented with the other user's data. Having a new session ID will prevent this (yes I know it can be prevented with proper authentication/authorization but some of us have paranoid clients and see having the same ID as a massive security hole).
-
Ahmed ilyas over 9 yearsRight - sure. I agree but this shouldn't be used to ignore the whole authorization and authentication process either. Even creating a new sessionID will result, at some point, on generating a previous generated sessionID but chances of this happening quite often are VERY low.
-
Paul T Davies over 9 years@Ahmedilyas I agree it is not a replacement for authorization, but clients have read up on session fixation and panic when they see the session ID not changing! I'm not sure session fixation/session hijacking is even an issue if security is implemented properly?
-
Paul T Davies over 9 yearsYes it is - you just use the the .ASPXAUTH cookie instead of ASP.NET_SessionId.
-
-
Matheus Miranda over 6 yearsYour answer is telling you to get
SessionID
. Friend wants to createSessionID
.