Session.Abandon 调用后 SessionID 仍然相同
我正在编写一些基于 SessionID 的日志记录代码...
但是,当我注销(调用 Session.Abandon)并再次登录时,SessionID 仍然相同。基本上我电脑上的每个浏览器都有自己的“附加”会话ID,并且由于某种原因它不会改变:/
知道发生了什么吗?
我的会话配置如下所示:
<sessionState
mode="InProc"
timeout="1" />
谢谢,Paweł
I'm writing some logging code that is based on SessionID...
However, when I log out (calling Session.Abandon), and log in once again, SessionID is still the same. Basically every browser on my PC has it's own session id "attached", and it won't change for some reason :/
Any ideas what is going on?
My Session config looks like this:
<sessionState
mode="InProc"
timeout="1" />
Thanks, Paweł
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
您可以显式清除会话 cookie。您应该通过配置控制cookie名称,并在清除时使用相同的名称。
编辑:
会话被放弃时清除会话 cookie 将强制 ASP.NET 创建新的会话和会话。下一个请求的sessionid。顺便说一句,清除会话 cookie 的另一种方法是使用 SessionIDManager.RemoveSessionID 方法。
You may explicitly clear the session cookie. You should control the cookie name by configuration and use same name while clearing.
Edit:
Clearing session cookie when session is abandoned will force ASP.NET to create new session & sessionid for next request. BTW, yet another way to clear the session cookie is to use SessionIDManager.RemoveSessionID method.
这对我有用,唯一的警告是该代码需要与您的登录例程分开。
直到页面加载完成后才会生效。在我的应用程序中,我有一个简单的安全例程,它强制使用新的 ID,如下所示:
Here's what worked for me, the only caveat is that this code need to be separated from your login routine.
It will not take effect until the page is finished loading. In my application I have a simple security routine, that forces a new ID, like this:
这是一篇旧帖子,但如果有人仍在寻找答案,这里有一个完整的分步解决方案,介绍如何每次使用新的会话 ID 实现干净注销。
请注意,本文仅适用于启用 cookie (cookieless=false) 的网站。
步骤(1)修改你的web.config文件&添加“regenerateExpiredSessionID”标志,如下 -
步骤 (2) 在注销事件中添加以下代码 -
步骤 (3) 在登录页面的 page_load 事件中添加以下代码 -
步骤 2 和 3 有一个重要目的。此代码可确保在您单击“登录”按钮后生成一个全新的会话 ID。这可以防止弱会话管理(会话固定漏洞),这种情况可能会在您的站点的第三方渗透测试期间被发现。
希望这有帮助。
This is an old post but if someone is still looking for answers, here is a complete and step-by-step solution on how to achieve a clean logout with a new session ID every time.
Please note this article applies to cookie-enabled (cookieless=false) sites only.
Step (1) Modify your web.config file & add "regenerateExpiredSessionID" flag as under -
Step (2) Add the following code in your logout event -
Step (3) Add the following code in your login page's page_load event -
Step 2 and 3 serve one IMPORTANT purpose. This code makes sure a brand new Session ID is generated after you click the "Login" button. This prevents Weak Session Management (Session Fixation vulnerability) which will likely be spotted during a 3rd party Penetration Testing of your site.
Hope this helps.
这是设计时的默认行为,如 此处所述:
。您可以如上所述禁用此设置。
编辑:将 regenerateExpiredSessionId 属性设置为 true 仅适用于无 cookie 会话。为了解决您的问题,您可以考虑实现一个继承 SessionIDManager 类的自定义类。您可以在此处和此处。
This is a default behavior by design as stated here:
You can disable this setting as mentioned above.
EDIT: Setting regenerateExpiredSessionId attribute to true works only for cookieless sessions. To overcome your problem, you can consider to implement a custom class that inherits SessionIDManager class. You can get information about that here and here.
查看这篇文章,其中解释了 session.abandon 的过程
http://support.microsoft.com/kb/899918< /a>
摘自上面的链接 -
“当您放弃会话时,会话 ID cookie 不会从用户的浏览器中删除。因此,一旦会话被放弃,对同一应用程序的任何新请求都将使用相同的会话 ID,但将有一个新的会话状态实例”
Check this article which explains the process on session.abandon
http://support.microsoft.com/kb/899918
Taken from above link -
"When you abandon a session, the session ID cookie is not removed from the browser of the user. Therefore, as soon as the session has been abandoned, any new requests to the same application will use the same session ID but will have a new session state instance"