Session ID saga

web2100 · December 29th, 2004, 01:16 PM

Continuing my post in the "session variables randomly disapper.." topic
.....

I was writing about the session id related problems, and my last post was about how session id remains same in the browser although i abandon the session and clear all session values.

i just found out that if i use the relative url to transfer to next page (from log out to log in page in my case..my user logs' out by clicking a link [Log Out] and i transfer him/her again to login page) the previously generated session id remains same..but if i use absolute URL in my link/hyperlink button..i get a new session id.

also if i use absolute URL into response.redirect method (insted of <a> or <asp:hyperlink> ) i get the same session id.

is it only happening to me or this is normal!

Imar · December 29th, 2004, 05:24 PM

Hi again,

Can you do this little test? Create three ASP files, called Session1.asp, Session2.asp and Session3.asp. Put the following code in the body of each ASP file:

Code:

Session1.asp
<%
    Session("Test") = "My Test"
    Response.Redirect("Session2.asp")
%>

Session2.asp
<%
    Response.Write(Session.SessionID) 
    Session.Abandon()
%>
<a href="Session3.asp">Session3.asp</a>

Session3.asp
<%
    Response.Write(Session.SessionID) 
%>

Next, open Session1.asp in your browser, and notice the Session ID. Then click the link to Session3.asp. Do you get a new Session ID??

Imar
---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.
While typing this post, I was listening to: Amsterdam by Coldplay (Track 11 from the album: A Rush Of Blood To The Head) What's This?

web2100 · December 30th, 2004, 01:01 PM

If i use this code as it is ..i get the same session id !!!! but if use the absolute URL in <a href="\myapp\Session3.asp">Session3.asp</a>
i get the NEW session id.

I was reading some microsoft documentation and came to know that this is a "drawback" of using cookiless session is that "session state is lost if an absolute URL is invked".

Ref: http://msdn.microsoft.com/library/en...ssionstate.asp

(described in "Cookiless Sessions" section)

Imar · December 31st, 2004, 05:51 AM

That's interesting. Apparently, cookie-less sessions work different from normal sessions. When I run the sample, I get a new Session ID right away.

In your absolute URL example, is \myapp\Session3.asp in the same appllication as the other pags? It makes sense that you get a new Session ID when you request pages in a different application.

Imar
---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.
While typing this post, I was listening to: Red Right Hand by Nick Cave & the Bad Seeds (Track 5 from the album: Let Love In) What's This?

web2100 · January 3rd, 2005, 12:09 PM

yes, the "session3.aspx" was in the same appication as another page. (did you test for ASP pages or ASPX pages?) because i tested for .net aspx pages ...and i am sure this buddy handles session differently than old ASP...anyways..

i came up with a solution for my original problem ..(assuming we have a session id problem) ..

we are going to track the session by storing current session id in database along with some user specific information and timestamp when user logs in ...if the users session is active (if anyone tries to log in with same session id) we are going to deny the login and ask them to open a new instance of browser.

that will solve any chance of two user using the same session id and seeing same data.

(app. will be little slow but what the heck!!!)

the session-tracking record will be removed from database when user log's off/session timeouts..

by the way is session_timeout event is really reliable??

Imar · January 3rd, 2005, 03:16 PM

Right, I see. My bad. Somehow, I tested this with classic ASP pages. Soon as I changed the extensions to ASPX, I see the same behavior you described: I get the same ID for both pages.

If you mean Session_End when you say Session Timeout, then it's reliability depends ;) When you use Sql server as the state server, it will not fire at all. For InProc I am almost sure it'll work in 100% of the cases. Just don't expect it to fire when the user closes the browser. You'll actually have to wait for the Timeout period before the session is ended (unless you use Session.Abandon).
So, if you're logging the user data, and compare new Session IDs against that data, be sure to keep a reasonable time margin for the session to end. This way you can ensure no two users are using the same Session ID.

Cheers,

Imar
---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.
While typing this post, I was listening to: Headhunter [Version 1.0] by Front 242 (Track 11 from the album: Front by Front) What's This?

web2100 · January 4th, 2005, 10:06 AM

Thanks Imar..

this conversation really helped!!! and thanks to wrox too for giving developers a useful space to talk.

Thanks.

web2100 · January 4th, 2005, 10:06 AM

Thanks Imar..

this conversation really helped!!! and thanks to wrox too for giving developers a useful space to talk.

Thanks.

jejedp · January 4th, 2006, 07:48 PM

hi guys,

I am using sessions in my application having the same problem, for some reason some users are viewing other users data. its like the session id is being interchanged between some users