Home/ Questions/Q 6227713
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-24T09:16:09+00:00

The system I am working on does not use standard ASP.NET Auth/ Membership facilities

  • 0

The system I am working on does not use standard ASP.NET Auth/ Membership facilities for logging users in/ out. Therefore after logging the user in I want to issue a new Session ID to the user in order to prevent Session trapping/ Hijacking. The problem i have is that although I have been able to successfully create a new session with a new ID and copy the various components to the newly created session eg. session[“value”]. By the end of the code excerpt below the newly created session is the current HTTPContext’s session, and has the session values that were copied accross. However after performing a Response.Redirect the new session is in action, but none of the session[“values”] have persisted across the two requests. As you can see from the code below i’ve tried adding the values to a number of collections to avail.

Any help would be amazing!! Thanks in advance

    bool IsAdded = false;
    bool IsRedirect = false;

    HttpSessionState state = HttpContext.Current.Session;        
    SessionIDManager manager = new SessionIDManager();
    HttpStaticObjectsCollection staticObjects = SessionStateUtility.GetSessionStaticObjects(HttpContext.Current);
    SessionStateItemCollection items = new SessionStateItemCollection();

    foreach (string item in HttpContext.Current.Session.Contents)
    {
        var a = HttpContext.Current.Session.Contents[item];
        items[item] = a;
    }  

    HttpSessionStateContainer newSession = new HttpSessionStateContainer(
                                                    manager.CreateSessionID(HttpContext.Current),
                                                    items,
                                                    staticObjects,
                                                    state.Timeout,
                                                    true,
                                                    state.CookieMode,
                                                    state.Mode,
                                                    state.IsReadOnly);

    foreach (string item in HttpContext.Current.Session.Contents)
    {
        var a = HttpContext.Current.Session.Contents[item];
        newSession.Add(item,a);
    }



    SessionStateUtility.RemoveHttpSessionStateFromContext(HttpContext.Current);

    SessionStateUtility.AddHttpSessionStateToContext(HttpContext.Current, newSession);

    manager.RemoveSessionID(HttpContext.Current);
    manager.SaveSessionID(HttpContext.Current, newSession.SessionID, out IsRedirect, out IsAdded);

    return newSession.SessionID;
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Basically it appears it’s not possible since you can only add session variables once there has been one round trip to the client to create the corresponding session cookie. Therefore I had to create the new new session (with new ID) so that by the time I came to adding session variables, the client cookie had the appropriate session id: annoying since this in reality is issuing the new session ID before the user is authenticated.

    Interestingly, it seems a little strange that issuing a new Session ID is exactly what the standard asp.net authentication/ membership functionality does but is able to maintain session variables, and yet doing it manually it doesn’t….are there some methods for this that are not being exposed to us mere developers maybe….

    • 0