1

I am using Redis for session store on my asp.net core 2.x web app. I was under the impression that the Httpcontext.Session.Id is used as the key to persist session state on redis. After further inspection via the redis-cli I found out the redis key to store the session is not the Session Id, nor the value I am setting (i.e. "client:name") instead it appears to be the _sessionKey of the Http Session object (which is a private member). Anyone know why the _sessionKey is being used and not the Session.Id, or the key I used to save to session? How can I get the private _sessionKey of the HttpContext.Session object?

I would like to be able to query redis via the cli by a SessionId. 

// session config
services.AddSession();
//Add distributed cache service backed by Redis cache
services.AddDistributedRedisCache(o =>
{
    o.Configuration = Configuration.GetConnectionString("Redis");
});

// Also, I am injecting the Session Middleware "app.UseSession();" prior to app.UseMvc()
Improve this question

1 Answer 1

Reset to default
3

The ASP.NET Core team have responded to this when it was raised as an issue on the Github repo:

The lifetimes are different. The true lifetime of a session (and SessionId) is controlled by the server. SessionKey is stored in the cookie and lives on the client for an indeterminate amount of time. If the session expires on the server and then the client sends a new request with the old SessionKey, a new session instance with a new SessionId is created, but stored using the old SessionKey so that we don't have to issue a new cookie.

Put another way, don't depend on things outside of your control. The client can keep and replay their SessionKey indefinitely, but it's the server that decides if that is really still the same session.

That aside, I honestly can't see any value in querying Redis directly for a session, anyways. All the session data is encrypted, and you won't be able to decrypted it without the same data protection provider that the app is using, which you obvious can only access within the context of the app. If you're already in that context, then you can simply access Session directly.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Very helpful response. Honestly, I was not aware of the "data protection provider" idea/implementation and its usage. Your comment is quite helpful. Thank you.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.