ASP.NET:Session.SessionID 在请求之间发生变化
为什么 ASP.NET 页面中 Session 对象的属性 SessionID 在请求之间会发生变化?
我有一个这样的页面:
...
<div>
SessionID: <%= SessionID %>
</div>
...
每次我按 F5 时,输出都会不断变化,与浏览器无关。
Why does the property SessionID on the Session-object in an ASP.NET-page change between requests?
I have a page like this:
...
<div>
SessionID: <%= SessionID %>
</div>
...
And the output keeps changing every time I hit F5, independent of browser.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(14)
这就是原因
http://msdn.microsoft.com/en -us/library/system.web.sessionstate.httpsessionstate.sessionid.aspx
所以基本上,除非您在后端访问会话对象,否则每个请求都会生成一个新的 sessionId
编辑
必须将此代码添加到文件 Global.asax 中。它向 Session 对象添加一个条目,以便您修复会话直至其过期。
This is the reason
http://msdn.microsoft.com/en-us/library/system.web.sessionstate.httpsessionstate.sessionid.aspx
So basically, unless you access your session object on the backend, a new sessionId will be generated with each request
EDIT
This code must be added on the file Global.asax. It adds an entry to the Session object so you fix the session until it expires.
还有另一个更隐蔽的原因,即为什么即使 Session 对象已初始化(如 Cladudio 所示),也可能会发生这种情况。
在 Web.config 中,如果有一个
requireSSL="true"但您实际上并未针对特定请求使用 HTTPS: ,那么会话 cookie 不会发送(或者可能不会返回,我不确定是哪一个),这意味着您最终会为每个请求提供一个全新的会话。我发现这个问题很困难,花了几个小时在源代码管理中的几次提交之间来回,直到我发现是什么特定的更改破坏了我的应用程序。
There is another, more insidious reason, why this may occur even when the Session object has been initialized as demonstrated by Cladudio.
In the Web.config, if there is an
<httpCookies>entry that is set torequireSSL="true"but you are not actually using HTTPS: for a specific request, then the session cookie is not sent (or maybe not returned, I'm not sure which) which means that you end up with a brand new session for each request.I found this one the hard way, spending several hours going back and forth between several commits in my source control, until I found what specific change had broken my application.
就我而言,我发现会话 cookie 有一个包含
www.前缀的域,而我请求的页面没有www.。将
www.添加到 URL 立即解决了问题。后来我将 cookie 的域更改为.mysite.com而不是www.mysite.com。In my case I figured out that the session cookie had a domain that included
www.prefix, while I was requesting page with nowww..Adding
www.to the URL immediately fixed the problem. Later I changed cookie's domain to be set to.mysite.cominstead ofwww.mysite.com.我的问题是我们在 web.config
中设置了此设置,这意味着在非 SSL(默认)中调试时, auth cookie 不会被发送回服务器。这意味着服务器将为每个请求发送一个新的身份验证 cookie(带有新会话)回客户端。
修复方法是在 web.config 中将 requiresl 设置为 false,在 web.release.config 中将 requiresl 设置为 true,或者在调试时打开 SSL:
my problem was that we had this set in web.config
<httpCookies httpOnlyCookies="true" requireSSL="true" />this means that when debugging in non-SSL (the default), the auth cookie would not get sent back to the server. this would mean that the server would send a new auth cookie (with a new session) for every request back to the client.
the fix is to either set requiressl to false in web.config and true in web.release.config or turn on SSL while debugging:
使用 Neville 的答案(在 web.config 中删除 requireSSL = true)并稍微修改 Joel Etherton 的代码,这里的代码应该处理在 SSL 模式和非 SSL 模式下运行的站点,具体取决于用户和页面(我正在跳回代码,还没有在 SSL 上测试它,但预计它应该可以工作 - 稍后会太忙而无法回到这里,所以这里是:
Using Neville's answer (deleting requireSSL = true, in web.config) and slightly modifying Joel Etherton's code, here is the code that should handle a site that runs in both SSL mode and non SSL mode, depending on the user and the page (I am jumping back into code and haven't tested it on SSL yet, but expect it should work - will be too busy later to get back to this, so here it is:
就我而言,这是因为我在从外部应用程序中的网关重定向后修改会话,所以因为我在该页面 URL 中使用 IP 而不是本地主机,所以它实际上被认为是具有不同会话的不同网站。
总之
in my case it was because I was modifying session after redirecting from a gateway in an external application, so because I was using IP instead on localhost in that page url it was actually considered different website with different sessions.
In summary
即使定义了 Session_OnStart 和/或初始化了会话,导致 SessionID 在请求之间发生更改的另一种可能性是 URL 主机名包含无效字符(例如下划线)。我相信这是 IE 特定的(未验证),但如果您的 URL 是,例如,
http://server_name/app,那么 IE 将阻止所有 cookie,并且您的会话信息将无法在请求之间访问。事实上,每个请求都会在服务器上启动一个单独的会话,因此如果您的页面包含多个图像、脚本标记等,那么每个 GET 请求都会在服务器上产生不同的会话。
更多信息:http://support.microsoft.com/kb/316112
Another possibility that causes the SessionID to change between requests, even when Session_OnStart is defined and/or a Session has been initialized, is that the URL hostname contains an invalid character (such as an underscore). I believe this is IE specific (not verified), but if your URL is, say,
http://server_name/app, then IE will block all cookies and your session information will not be accessible between requests.In fact, each request will spin up a separate session on the server, so if your page contains multiple images, script tags, etc., then each of those GET requests will result in a different session on the server.
Further information: http://support.microsoft.com/kb/316112
我的问题与 Microsoft MediaRoom IPTV 应用程序有关。结果发现MPF MRML应用程序不支持cookie;更改为在 web.config 中使用 cookieless 会话解决了我的问题
这是一篇关于它的非常旧的文章:
无 Cookie ASP.NET
My issue was with a Microsoft MediaRoom IPTV application. It turns out that MPF MRML applications don't support cookies; changing to use cookieless sessions in the web.config solved my issue
Here's a REALLY old article about it:
Cookieless ASP.NET
就我而言,这种情况在我的开发和测试环境中经常发生。在尝试了上述所有解决方案但没有成功后,我发现可以通过删除所有会话 cookie 来解决此问题。 Web 开发人员扩展使这一切变得非常容易。我主要使用 Firefox 进行测试和开发,但在 Chrome 中测试时也发生过这种情况。该修复在 Chrome 中也有效。
我还没有在生产环境中这样做,也没有收到任何关于人们无法登录的报告。这似乎也只有在确保会话 cookie 安全后才会发生。过去当他们不安全的时候从来没有发生过这种情况。
更新:这只是在我们更改会话 cookie 以确保其安全之后才开始发生。我已确定确切的问题是由浏览器中存在两个或多个具有相同路径和域的会话 cookie 引起的。始终存在问题的就是具有空值或 null 值的值。删除该特定 cookie 后,问题得到解决。我还在 Global.asax.cs Sessin_Start 方法中添加了代码来检查此空 cookie,如果是,则将其过期日期设置为过去的日期。
In my case this was happening a lot in my development and test environments. After trying all of the above solutions without any success I found that I was able to fix this problem by deleting all session cookies. The web developer extension makes this very easy to do. I mostly use Firefox for testing and development, but this also happened while testing in Chrome. The fix also worked in Chrome.
I haven't had to do this yet in the production environment and have not received any reports of people not being able to log in. This also only seemed to happen after making the session cookies to be secure. It never happened in the past when they were not secure.
Update: this only started happening after we changed the session cookie to make it secure. I've determined that the exact issue was caused by there being two or more session cookies in the browser with the same path and domain. The one that was always the problem was the one that had an empty or null value. After deleting that particular cookie the issue was resolved. I've also added code in Global.asax.cs Sessin_Start method to check for this empty cookie and if so set it's expiration date to something in the past.
从 .NET 4.7.2 开始,这种情况发生了变化,这是由于会话 cookie 上的 SameSite 属性造成的。有关详细信息,请参阅此处: https://devblogs.microsoft.com/aspnet/upcoming-samesite-cookie-changes-in-asp-net-and-asp-net-core/
默认值更改为“Lax”并且开始破坏东西。我将其更改为“无”,事情按预期进行。
This was changing for me beginning with .NET 4.7.2 and it was due to the SameSite property on the session cookie. See here for more info: https://devblogs.microsoft.com/aspnet/upcoming-samesite-cookie-changes-in-asp-net-and-asp-net-core/
The default value changed to "Lax" and started breaking things. I changed it to "None" and things worked as expected.
确保您没有设置非常短的会话超时,并确保如果您使用基于 cookie 的会话,则您正在接受该会话。
FireFox webDeveloperToolbar 在这种情况下会很有帮助,因为您可以看到为您的应用程序设置的 cookie。
Be sure that you do not have a session timeout that is very short, and also make sure that if you are using cookie based sessions that you are accepting the session.
The FireFox webDeveloperToolbar is helpful at times like this as you can see the cookies set for your application.
会话ID重置可能有多种原因。然而,上面提到的任何内容都与我的问题无关。所以我将描述它以供将来参考。
就我而言,每个请求创建的新会话会导致无限重定向循环。重定向操作发生在 OnActionExecuting 事件中。
另外,我一直在清除所有 http 标头(也在使用 Response.ClearHeaders 方法的 OnActionExecuting 事件中),以防止在客户端缓存站点。但该方法会清除所有标头,包括有关用户会话的信息,从而清除临时存储中的所有数据(我稍后在程序中使用)。因此,即使在 Session_Start 事件中设置新会话也没有帮助。
为了解决我的问题,我确保在发生重定向时不删除标头。
希望它能帮助某人。
Session ID resetting may have many causes. However any mentioned above doesn't relate to my problem. So I'll describe it for future reference.
In my case a new session created on each request resulted in infinite redirect loop. The redirect action takes place in OnActionExecuting event.
Also I've been clearing all http headers (also in OnActionExecuting event using Response.ClearHeaders method) in order to prevent caching sites on client side. But that method clears all headers including informations about user's session, and consequently all data in Temp storage (which I was using later in program). So even setting new session in Session_Start event didn't help.
To resolve my problem I ensured not to remove the headers when a redirection occurs.
Hope it helps someone.
我以不同的方式遇到了这个问题。具有此属性的控制器
[SessionState(SessionStateBehavior.ReadOnly)]正在从不同的会话中读取数据,即使我在应用程序启动时在原始会话中设置了一个值。我通过 _layout.cshtml 添加会话值(也许不是最好的主意?)显然是 ReadOnly 导致了问题,因为当我删除该属性时,原始会话(和 SessionId)将保持不变。使用克劳迪奥/微软的解决方案修复了它。
I ran into this issue a different way. The controllers that had this attribute
[SessionState(SessionStateBehavior.ReadOnly)]were reading from a different session even though I had set a value in the original session upon app startup. I was adding the session value via the _layout.cshtml (maybe not the best idea?)It was clearly the ReadOnly causing the issue because when I removed the attribute, the original session (and SessionId) would stay in tact. Using Claudio's/Microsoft's solution fixed it.
我使用的是 .NET Core 2.1,我很清楚问题与 Core 无关。然而,由于缺乏互联网,谷歌把我带到了这里,希望能为某人节省几个小时。
Startup.csclient.jsControllers/LoginController.cs请注意,会话写入和读取工作正常,但似乎没有将 cookie 传递给浏览器。至少我在任何地方都找不到“Set-Cookie”标头。
I'm on .NET Core 2.1 and I'm well aware that the question isn't about Core. Yet the internet is lacking and Google brought me here so hoping to save someone a few hours.
Startup.csclient.jsControllers/LoginController.csNotice that the session writing and reading works, yet no cookies seem to be passed to the browser. At least I couldn't find a "Set-Cookie" header anywhere.