Newly Created Session doesn't retain session contents_问答_开发者

Newly Created Session doesn't retain session contents

开发者 https://www.devze.com 2023-03-25 03:20 出处：网络

The system I am working on does not use standard ASP.NET Auth/ Membership facilities for logging users in/ out. Therefore after logging the user in I want to issue a new Session ID to the user in order to prevent Session trapping/ Hijacking. The problem i have is that although I have been able to successfully create a new session with a new ID and copy the various components to the newly created session eg. session["value"]. By the end of the code excerpt below the newly created session is the current HTTPContext's session, and has the session values that were copied accross. However after performing a Response.Redirect the 开发者_如何学Pythonnew session is in action, but none of the session["values"] have persisted across the two requests. As you can see from the code below i've tried adding the values to a number of collections to avail.

Any help would be amazing!! Thanks in advance

    bool IsAdded = false;
    bool IsRedirect = false;

    HttpSessionState state = HttpContext.Current.Session;        
    SessionIDManager manager = new SessionIDManager();
    HttpStaticObjectsCollection staticObjects = SessionStateUtility.GetSessionStaticObjects(HttpContext.Current);
    SessionStateItemCollection items = new SessionStateItemCollection();

    foreach (string item in HttpContext.Current.Session.Contents)
    {
        var a = HttpContext.Current.Session.Contents[item];
        items[item] = a;
    }  

    HttpSessionStateContainer newSession = new HttpSessionStateContainer(
                                                    manager.CreateSessionID(HttpContext.Current),
                                                    items,
                                                    staticObjects,
                                                    state.Timeout,
                                                    true,
                                                    state.CookieMode,
                                                    state.Mode,
                                                    state.IsReadOnly);

    foreach (string item in HttpContext.Current.Session.Contents)
    {
        var a = HttpContext.Current.Session.Contents[item];
        newSession.Add(item,a);
    }



    SessionStateUtility.RemoveHttpSessionStateFromContext(HttpContext.Current);

    SessionStateUtility.AddHttpSessionStateToContext(HttpContext.Current, newSession);

    manager.RemoveSessionID(HttpContext.Current);
    manager.SaveSessionID(HttpContext.Current, newSession.SessionID, out IsRedirect, out IsAdded);

    return newSession.SessionID;

Maybe I'm missing something here but won't this work:

Session["mysession"] = mySessionObject;

Basically it appears it's not possible since you can only add session variables once there has been one round trip to the client to create the corresponding session cookie. Therefore I had to create the new new session (with new ID) so that by the time I came to adding session variables, the client cookie had the appropriate session id: annoying since this in reality is issuing the new session ID before the user is authenticated.

Interestingly, it seems a little strange that issuing a new Session ID is exactly what the standard asp.net authentication/ membership functionality does but is able to maintain session variables, and yet doing it manually it doesn't....are there some methods for this that are not being exposed to us mere developers maybe....