Generally in asp.net we have unique sessionID for one request,
Example : Once you browse any website, during this entire browsing activity from one browser is considered as one Session, and it should only carry one Session ID
But here for my website for ONE Request Many SessionID's are creating in fraction of Seconds its 25000 within 1 day.. !
Can any one explain me some concept of how to control this generation of SessionIDs multiple times??
Ref
When using cookie-based session state, ASP.NET does not allocate storage for session data until the Session object is used. As a result, a new session ID is generated for each page request until the session object is accessed. If your application requires a static session ID for the entire session, you can either implement the Session_Start method in the application's Global.asax file and store data in the Session object to fix the session ID, or you can use code in another part of your application to explicitly store data in the Session object.
If your application uses cookieless session state, the session ID is generated on the first page view and is maintained for the entire session.
Related
I'm currently working on a POC in which I need to persist a unique object for each request. My application post a form on some other site and wait for the response from that site on my response handler. So I want to get that unique object on my response handler too.
I have tried of Session but what if session gets expired.
Store the object in DB and store the DB identifier in the cookie. Then you will have the DB identifier on every request. Also send this identifier to the other site and when you get it back you know what to process.
Instead of cookie you can also store the data in the browser storage if cookie is disabled.
I have a session variable which is accessed by multiple users through different pc's...so my question is do session variables overwrite when same login credentials are associated?
Session variables / objects are 'unique to users', also unique to browsers and are not over written by other users. You can read more about session state here.
Sessions are identified by a unique identifier that can be read by
using the SessionID property. When session state is enabled for an
ASP.NET application, each request for a page in the application is
examined for a SessionID value sent from the browser. If no SessionID
value is supplied, ASP.NET starts a new session and the SessionID
value for that session is sent to the browser with the response. Reference
Session Variables / Cookies are unique to Users/Browsers only. However you are confusing sessions with Application variables....which are Global to users. Sessions are generated via Webserver.
In my web application I am using sessions for storing the user specific data for persisting the data in between the postbacks.
I would like to know the difference between storing the data in sessions as
Session["selectedItem"] = somevalue;
and
Session["UserName"]["SelectedItem"] = somevalue;
where I have a session named Session["UserName"] which stores the name of the user who is logged in.
If i just go into more depth lets say if there are 2 users one logs into firefox and other internet explorer, will there be any conflict if i store the value in the first way meaning the session data is overwritten or shared, and this conflict would be resolved if i use sessions in second way.
Is there any noticeable difference in the way session variable is stored between these 2 session implementations or are they just identical ?
Data stored in a session is, per definition, stored against a specific user - and it will work regardless of whether your user has been authenticated or not (if your user is anonymous the server will still set a cookie in the user's browser with a unique id for the user's session).
The session object provides a simple one-dimensional collection for storing data, meaning that you can only store data in the session by providing a single key, e.g.
Session["myKey"] = myObject;
Of course, if myObject is an array or another collection then you can reference elements within myObject like this:
Session["myKey"][0];
Session["myKey"]["anotherKey"];
Sessions are unique per user, so there's no need to key your Session variables by user.
The session is generally tied to a particular browser through cookies and is isolated from other sessions.
Hope following points clear your doubts
You will get a new session/session ID when using different browsers
If you are using the same browser (tabs or multiple instances) and your session is set to use cookies, by default cookies will be shared among all tabs and/or instances of a browser
If you want a different session when using the same browser you will need to use cookieless sessions.
I am reviewing some web code and I am not exactly sure how ASP.net session state works. Any helps would be gratefully appreciated.
If a User object is saved to the session state during login, and User.FirstName and User.LastName is set. If other web pages retrieve the user object from the session and set the FirstName to something else is that persisted on other web pages? Or, do you need to re-add the user object back to the session once it has been modified? Thanks
Session is persisted on the server, but tracked via the client. I repeat - via the client.
In most cases, sessions are tracked with cookies. So using your example, when User object is saved to Session:
Session["UserInfo"] = new User { FirstName = "Joe", LastName = "Bloggs" };
A cookie will be sent to the client with a unique identifier. This cookie is passed along to all further HTTP requests from this client/browser unless it expires.
If another user comes along (from a different machine) for the first time, Session["UserInfo"] will be null.
An alternative to cookies is "cookieless-session" - where instead of using a cookie to store the session identifer - the identifier is tacked onto the URL.
So the answer is no - other web pages (e.g other clients/machines/browsers) will not have access to this information.
If you want information shared between different clients from the web server, use Cache.
However given the context of the question (User information), it is valid to store this information in the Session, as it is only relevant to a particular user (shouldn't be shared).
An alternative a lot of people use instead of sticking the User info in the session, is to put it in a generic principle which get's attached to the Forms Authentication ticket.
Up to you which road you choose.
This should help you get your head around Sessions in ASP.Net
http://www.codeproject.com/KB/aspnet/ExploringSession.aspx
http://www.codeproject.com/Articles/32545/Exploring-Session-in-ASP-Net
Any changes you make to the object are persisted.
A) I assume Asp.Net allows you to reuse session identifier only if we operate in cookieless mode, but not if we use cookies to store session ID?
B) From my book:
By default, ASP.NET allows you to reuse a session identifier. For example, if you make a request and your query string contains an expired session, ASP.NET creates a new session and uses that session ID. The problem is that a session ID might inadvertently appear in a public place - such as in a results page in a search engine. This could lead to multiple users accessing the server with the same session identifier and then all joining the same session with the same shared data.”
I’m not sure I understand how reusing session identifier could cause session ID to appear in a results page in a search engine?
C) Continuing:
To avoid this potential security risk, it’s recommended that you include the optional regenerateExpiredSessionId attribute and set it to true whenever you use cookieless sessions. This way, a new session ID will be issued if a user connects with an expired session ID. The only drawback is that this process also forces the current page to lose all view state and form data, because ASP.NET performs a redirect to make sure the browser has a new session identifier.
Why needs Asp.Net to perform a redirect to make sure browser has a new session identifier? Couldn’t it just extract session ID from the URL and throw it away?
Thank you
A) No. When using cookie-based sessions, if a client sends an invalid session ID (from a stale cookie for example), the server will reject the ID, generate a new ID and send that value back in the cookie with the response.
Just to be sure I understand what you are saying:
When session is cookie-based and if you make a request, but your cookie contains a session Id of an already expired session, then server will generate a new ID?
But if session is cookieless ( thus ID is contained in URL ), then by default Asp.Net will create new session using that same ID?
C) The redirect is performed to ensure that the client received the new session id value and properly sends it back with the follow-up request. It's just a double-confirmation that occurs.
But why doesn’t it instead just put new Session ID in a URL and send it back. There must be a reason why this wouldn’t work and thus redirect is needed?!
A) No. When using cookie-based sessions, if a client sends an invalid session ID (from a stale cookie for example), the server will reject the ID, generate a new ID and send that value back in the cookie with the response.
B) When using cookie-less sessions, it's quite possible that a search engine could index a page with the session ID implanted in the URL. In this case, should a user click on the link from the search engine (and regenerateExpiredSessionid was 'true'), a new session would be created using the same ID. Subsequent users would also re-use the same ID should they click the link and if multiple users are browsing at the same time using the same ID, they would be overwriting each other's session values with each request.
C) The redirect is performed to ensure that the client received the new session id value and properly sends it back with the follow-up request. It's just a double-confirmation that occurs.