In ASP.NET, when should I use Session.Clear() rather than Session.Abandon()?

asp.net .net session session-state
115,553

Solution 1

Session.Abandon() destroys the session and the Session_OnEnd event is triggered.

Session.Clear() just removes all values (content) from the Object. The session with the same key is still alive.

So, if you use Session.Abandon(), you lose that specific session and the user will get a new session key. You could use it for example when the user logs out.

Use Session.Clear(), if you want that the user remaining in the same session (if you don't want the user to relogin for example) and reset all the session specific data.

Solution 2

Only using Session.Clear() when a user logs out can pose a security hole. As the session is still valid as far as the Web Server is concerned. It is then a reasonably trivial matter to sniff, and grab the session Id, and hijack that session.

For this reason, when logging a user out it would be safer and more sensible to use Session.Abandon() so that the session is destroyed, and a new session created (even though the logout UI page would be part of the new session, the new session would not have any of the users details in it and hijacking the new session would be equivalent to having a fresh session, hence it would be mute).

Solution 3

Session.Abandon destroys the session as stated above so you should use this when logging someone out. I think a good use of Session.Clear would be for a shopping basket on an ecommerce website. That way the basket gets cleared without logging out the user.

Share:
115,553
Lance Fisher
Author by

Lance Fisher

Missoula .NET Users Group Founder Father Husband Ultra runner Believer Snowboarder Math Geek Learning Russian Learning Spanish

Updated on May 05, 2020

Comments

  • Lance Fisher
    Lance Fisher about 4 years

    Both Session.Clear() and Session.Abandon() get rid of session variables. As I understand it, Abandon() ends the current session, and causes a new session to be created thus causing the End and Start events to fire.

    It seems preferable to call Abandon() in most cases, such as logging a user out. Are there scenarios where I'd use Clear() instead? Is there much of a performance difference?

  • Trisped
    Trisped almost 12 years
    What would be the point of hijacking an empty session? The hijacker would still have to log in, and their is no data to accidently provide to the new user.
  • Bibhu
    Bibhu over 11 years
    I believe better to use RemoveAll() instead of Clear(), as "Darin Dimitrov" has suggested over here stackoverflow.com/a/3931344/713246
  • Adam Miller
    Adam Miller about 10 years
    @Bibhu: How did he suggest that RemoveAll() was better than Clear()? All I saw in his answer was that RemoveAll() calls Clear(), and seems to be functionally identical.
  • brichins
    brichins over 9 years
    Just used Session.Abandon() as a 'logout' on an internal app using Windows Authentication - users did not have to re-authenticate (Chrome, FF), but the session disposed and a new one issued, which met my requirements
  • WTFZane
    WTFZane about 7 years
    But what if I use Session.Abandon to just clear a specific shopping basket?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Cannot access session asp.net core
How to use session management with Load Balancer in Asp.Net
How to clear SQL session state for all users in ASP.NET
Session state can only be used when enableSessionState is set to true
In what situations the HttpContext.Current.Session can be null?
How to prevent session timeout
asp.net session state mode "SQLServer"
Session Timeout Warning in ASP.NET
Create session in C#
Pros and Cons of using ASP.NET Session State Server (instead of InProc)?