New Session?

  • Thread starter Thread starter xenophon
  • Start date Start date
X

xenophon

I would like to discover whether the current Session ID/token is being
used for the first time. I think I need to trap for this in the
Session_Onstart in global.asax but I don't know for sure.

Thanks.
 
They are GUIDs. The likelihood that they would be reused
is extremely rare.
 
SessionID's are guaranteed to be unique
from the moment IIS starts until it stops.

There's a small chance that a SessionID might be
repeated if the server is stopped and restarted.

It's a very small chance, statistically speaking, though.





Juan T. Llibre
ASP.NET MVP
http://asp.net.do/foros/
Foros de ASP.NET en Español
Ven, y hablemos de ASP.NET...
======================
 
Hi

In load of each page put

if(Session.IsNewSession)
{
///
}

Regards,

Daniel Roth
MCSD.NET
 
Thanks for the response. In the case of Cookieless Sessions, the token
is in the URI, and if user #1 copy-pastes the URI into an email and
sends it to user #2, then they could both potentially share the same
Session. Bad.

Since I can map a Sesion token to a user account in code, I just need
to know if it's a new one or not and work from there.

Thanks.
 
Thanks for the response. In the case of Cookieless Sessions, the token
is in the URI, and if user #1 copy-pastes the URI into an email and
sends it to user #2, then they could both potentially share the same
Session. Bad.

Since I can map a Sesion token to a user account in code, I just need
to know if it's a new one or not and work from there.

Thanks.
 
Hi Xenophon,

As Daniel has mentioned, we can use the HttpSessionState.IsNewSession to
determine whether the session is newly created by the current request.
However, if your actual concern is the problem with using cookieless
session, I'm afraid we haven't any buildin means to detect whether the
comming request client is the reallly the correct user associated with the
SessionState (identify by the sessionid embeded in url). That means if A is
visisting the asp.net web app through the sessionidA and B paste the
sessionidA directly into it's URL, B will also make use of A's
sessionstate. In fact, this is because the serverside hasn't enough
information to distinguish users in cookieless scenario. And if you'd like
to manually detect such condition, you can try mantaining a server loopup
list which record all the sessionid associated with its client user's IP
address. Anyway, even using cookieless Session, it's stil very rare that
sessionID is reused since everyuser will have own randomly generated
sessionid.

Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 
Back
Top