2

I am wondering how the Session ID works in Forms Authentication? Becuase I did a Response.Write(Session.SessionID); on my home controller and then logged out. I then logged in as a new User and the Session ID was the same. Below are my LogOn and LogOff Actions:

LogOn:

[HttpPost]
        public ActionResult LogOn(LogOnModel model, string returnUrl)
        {
            try
            {
                if (ModelState.IsValid)
                {
                        if (Membership.ValidateUser(model.UserName, model.Password))
                        {
                            FormsAuthentication.SetAuthCookie(model.UserName, model.RememberMe);

                            if (Url.IsLocalUrl(returnUrl) && returnUrl.Length > 1 && returnUrl.StartsWith("/")
                                && !returnUrl.StartsWith("//") && !returnUrl.StartsWith("/\\"))
                            {
                                return Redirect(returnUrl);
                            }
                            else
                            {
                                return RedirectToAction("Index", "Home");
                            }
                        }
                    else
                    {
                        ModelState.AddModelError("", "The user name or password provided is incorrect.");
                    }
                }

                // If we got this far, something failed, redisplay form
                return View("LogonError", model);
            }
        catch (Exception ex)
        {
            string test = ex.Message;
            return PartialView("_Error", test);
        }
    }

LogOff:

    public ActionResult LogOff()
    {
        FormsAuthentication.SignOut();

        return RedirectToAction("Index", "Home");
    }
Improve this question
1
  • There are 2 different cookies for authentication and session. Commented Jun 2, 2014 at 2:41

1 Answer 1

Reset to default
4

Session has its own cookie, different from the Forms Authentication cookie

Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

Forgive me but Im new to Forms Authentication. How would I then resolve this as I'm creating a basket linked to a Session ID so if 2 user's have the same Session ID then they'll see each others items?
The only way to hijach another session is to have the actually cookie. However when you loggout the user you can call Session.Abandon() which should destroy the current session.
I've just tried this whilst using intellisense and found the Abandon method but it still output the same Session ID
Quote from MSDN: Session identifiers for abandoned or expired sessions are recycled by default. That is, if a request is made that includes the session identifier for an expired or abandoned session, a new session is started using the same session identifier. You can disable this by setting regenerateExpiredSessionId attribute of the sessionState configuration element to true. For more information, see Session Identifiers.
Solved it: I added Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", "")); to my logoff action, this gives a new ID each time
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.