ASP.Net 中的 Session.Abandon() 和 Session.Clear() 有什么区别?
ASP.Net 中的 Session.Abandon() 和 Session.Clear() 之间有什么区别?
What is the difference between Session.Abandon()
and Session.Clear()
in ASP.Net?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
Session.Abandon()
将结束当前会话。Session_End
将被触发,下一个请求将触发Session_Start
事件。Session.Clear
只会清除会话数据,并且会话将保持活动状态。只要浏览器未关闭,这两种情况下的会话 ID 将保持不变。
简而言之:
Session.Abandon();
取消当前Session
。Session.Clear();
清除Session
状态中的所有值。Session.Abandon()
will end the current session.Session_End
will be fired and the next request will fire theSession_Start
event.Session.Clear
will just clear the session data and the the session will remain alive.Session ID will remain the same in both cases, as long as the browser is not closed.
In a nutshell:
Session.Abandon();
cancels the currentSession
.Session.Clear();
clears all values fromSession
state.将破坏/杀死整个会话。
删除/清除会话数据(即当前会话中的键和值),但会话将处于活动状态。
与Session.Abandon()方法相比,Session.Clear()不会创建新的会话,它只是将会话中的所有变量设置为NULL。
只要浏览器未关闭,这两种情况下的会话 ID 将保持不变。
will destroy/kill the entire session.
removes/clears the session data (i.e. the keys and values from the current session) but the session will be alive.
Compare to Session.Abandon() method, Session.Clear() doesn't create the new session, it just make all variables in the session to NULL.
Session ID will remain same in both the cases, as long as the browser is not closed.
根据我的经验,这里需要注意一些事项:
Session.Abandon()
不会使当前会话无效。如果重播旧请求,它们会执行得很好。但是,在调用它之后,设置废弃会话字典的内容不会产生永久效果。下一个请求将获得一个全新的会话字典(即使您通过重放上一个请求来使用相同的会话 ID),并且您之前对其进行的任何更改(在调用该方法之后)都不存在。
因此,似乎 Session.Abandon() 完全停止了整个会话的持久性,而 Session.Clear() 只删除其数据。
而且,如果您需要保护应用程序免受重放攻击,您应该添加一些验证会话的逻辑,而不是依赖于任何这些内置方法。这些似乎只是为了管理会话数据的持久性,而不是为了保护您的应用程序。
Some things to note here from my experience:
Session.Abandon()
does not invalidate the current session. Old requests execute fine if you replay them.But, after you call it, setting the contents of the abandoned session dictionary have no permanent effect. The next request gets a fresh new session dictionary (even if you use the same session ID by replaying a previous request) and none of your previous changes to it (after having called the method) are there.
So, it seems that
Session.Abandon()
totally stops the persistence of the entire session, whileSession.Clear()
only removes its data.And, also, if you need to secure your application from replay attacks, you should add some logic that validates sessions and not depend on any of these built-in methods. Those seem to be meant for only managing the persistence of the session data, not for securing your application.