<< JavaScript code minimizer (not obfuscator!) | Home | WPF: Inheriting from custom class instead of Window >>

Another breaking change in ASP.NET 2.0: Session.SessionID

I only recently became aware of another breaking change in ASP.NET 2.0: In order to optimize session state management, some changes have been implemented. One of the most puzzling ones when you're not aware of it can be reproduced as follows:
  • In ASP.NET 1.1, create a new web application.
  • Add a label to the page, name it lblSessionID.
<asp:Label Runat="server" ID="lblSessionID" />
  • In the code behind, add the following code in the "Page_Load" method:
protected void Page_Load(object sender, EventArgs e) { lblSessionID.Text = this.Session.SessionID; }
  • Load the page in the web browser. Press F5 as many times as you like, and the SessionID remains the same.
This behaviour is expected, and my guess is that quite a few applications rely on the SessionID being consistent on every page refresh.
However, in ASP.NET 2.0, the behaviour is different, which may cause applications to break: If you create a new website (or a new web application) and reproduce all the steps above, the SessionID will be different on every refresh of the page. The reason is found in MSDN:
"When using cookie-based session state, ASP.NET does not allocate storage for session data until the Session object is used. As a result, a new session ID is generated for each page request until the session object is accessed. If your application requires a static session ID for the entire session, you can either implement the Session_Start method in the application's Global.asax file and store data in the Session object to fix the session ID, or you can use code in another part of your application to explicitly store data in the Session object."
Since cookie-based session state is the default, this change of behaviour will affect existing web applications relying on the SessionID to identify the current user without having previously stored data in the Session object.
Here is a possible fix:
protected void Page_Load(object sender, EventArgs e) { if ( this.Session[ "dummy" ] == null ) { this.Session[ "dummy" ] = 1; } lblSessionID.Text = this.Session.SessionID; }
Not very elegant, and I can't say that I totally understand the reason why the ASP.NET team doesn't offer a better way to keep the SessionID consistent all the time, even when nothing is stored in the Session object. Anyway, this has caused me a few headaches, so hopefully this article will help other developers.
Print | posted on Sunday, February 25, 2007 2:51 PM

Feedback

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by LRK at 3/22/2007 10:22 PM Gravatar
Thanks for posting this. I've been trying for nearly two hours to figure out what changed from 1.1 to 2.0. MSDN doesn't make it obvious at all.

Regards,
LRK

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Techno Pig at 3/30/2007 2:51 PM Gravatar
Useful info and necessary for some of us working with complex sites with series of integrated forms.

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Dilip Namdeo at 5/8/2007 11:03 PM Gravatar
Thx...It's really nice article...

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Ajith Kumar A.J at 5/20/2007 9:42 PM Gravatar
Thanks, for the comments. It helped a lot. I have wasted a week to find a solution for that. Great Work !!!!

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Tarique at 5/30/2007 10:17 AM Gravatar
Just one quick question.

When using session state with cookie, the sessionID is stored as a non-persistent cookie on the client side. And as soon as the browser closes, the Session ID cookie is destroyed, right ?

Thanks,

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Laurent at 5/30/2007 5:56 PM Gravatar
Hi,

Yes, it's correct. However it doesn't mean that the session on the server expires immediately. If the session is not abandoned explicitly, it will expire (and the corresponding object in memory will be deleted) only after a timeout, which you can set in the web.config file (default 20 minutes).

Also, note that the session ID cookie is linked to the process on the client. Firefox runs only one process, always. So if you have multiple windows, they all run in the same process, and they all have the same session ID. For IE however, multiple processes are possible (you can have more than one IEXPLORE.EXE in the Task manager). So there is a different session ID for each instance of IEXPLORE.EXE. Multiple windows can run in one instance of this process, so these windows will have the same session ID. It's a bit confusing, I know...

HTH,
Laurent

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Hannes Calitz at 9/27/2007 2:11 AM Gravatar
Thank you sooooooooooo much. I have been struggling with this problem for a few hours now.

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Sawan at 1/2/2008 7:51 PM Gravatar
Hi,

I try many State Management Tech. in My project but i use ohter with sessionID that create prob. to me. but when i use session object it works fine .

I got your point ...
So thanks for help dev...

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Russell at 1/9/2008 10:32 PM Gravatar
holy shit....lots of hugs & kisses (not in a gay way) ....... yr solution rocks man!

# Sessionid for two tabs of same site in Firefox.

left by ashish at 2/10/2008 7:11 PM Gravatar
Need to create different Sessionid for two tabs of same site in Firefox.

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Laurent at 2/15/2008 11:46 PM Gravatar
Hi,

Session ID is per browser process instance. Since Firefox allows only one instance of the process, you cannot have multiple session IDs. Each window (and by extension each tab) running in the same process will automatically have the same session ID.

If you want a different ID, you'll have to resort to tricks. For example, have JavaScript initialize a variable based on the date/time at which the current page was loaded in the tab. Then, the new "fake" session ID becomes:

[real session ID]-[ticks]

You must make sure that the "fake" session ID is preserved over postbacks. It's quite some work, but doable.

HTH,
Laurent

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by TK at 4/1/2008 10:02 PM Gravatar
Hey.. Thank you so much for this post.. It really helped me to manage my web application..

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Laurent at 4/1/2008 10:28 PM Gravatar
Hi TK,

Glad to help. Happy coding.

Laurent

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by siddharth at 4/15/2008 2:35 PM Gravatar
Hi,
I want to abandon session when tab of the browser closed so please tell me how i do this means get that tab closed and fire Session.Abandon

thanks
Siddharth

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Laurent at 4/16/2008 6:06 PM Gravatar
Hi,

There is no reliable way to do that, because the browser doesn't really have a reliable event. The way you can do is set the session to live for a very short time (1 minute), and then to use a web service to constantly "kick" the session and keep it alive (for example sending a very short message every 30 seconds). ASMX content is dynamic, so this will keep the session alive. Then when the heartbeat stops, the session will just expire.

HTH,
Laurent

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by a h at 5/5/2008 7:35 PM Gravatar
This may have to do with improving security. Remember the hijaking of session id issue?

A user may browse the unsecured pages of say amazon.com and then decides to buy something at which point he is redirected to a secured page. If amazon cleverly starts the session only after the ssl has been established, it would be imposible for a hijaker to know the session id.

In this case this change of 2.0 is more than welcomed.

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Ramesh at 5/8/2008 8:13 AM Gravatar
Nice article and a very good and simple example.....
Its very nice

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Laurent at 5/8/2008 8:52 AM Gravatar
Thanks Ramesh,

Interestingly, it's the only one of my "older" articles that still gets comments regularly :) Happy to help!

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by jayesh at 5/22/2008 12:45 AM Gravatar
when i used session.sessionid so it will give's me different sessionid at every times in Asp.net with AJAX so any one can help me for this problem

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Juan Romero at 5/22/2008 3:41 PM Gravatar
Thanks a lot man. We are making the move to .NET 2.0 and I have been going crazy with the damn session id changing every time. You saved me a lot of headache. Thanks again!

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Laurent at 5/22/2008 4:01 PM Gravatar
Hi Juan,

You welcome, I am really happy that it helped.

Happy coding,
Laurent

# The session does not expire when i am using firefox explorer

left by Jack at 6/4/2008 5:10 PM Gravatar
The session does not expire when i am using firefox explorer.

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Laurent at 6/5/2008 8:50 AM Gravatar
Jack,

The session is linked to a cookie. Since Firefox forces all windows to run in the same process, all the windows will automatically share the same session ID (yes it's annoying, but that's Firefox policy). Every time that you use any Firefox window to access your ASP.NET application, the session will be extended. If you want it to expire, you must close Firefox completely (each window). For security, I would also check that the firefox process is really dead (I had issues with that in the past).

Greetings,
Laurent

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Adlin at 6/9/2008 5:45 PM Gravatar
Hi,

Even In IE, if you open two instance of IE by clicking an url from word or outlook its getting opened under the same sessionid. Any work around or solution would be really appreciated. Thanks in advance.
Mode -- > [cookieless="false"] and its Ajax enabled.
Regards,
Adlin.

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Laurent at 6/9/2008 9:37 PM Gravatar
Hi Adlin,

In the contrary to Firefox, IE has two ways to handle new windows:

- If you have an instance of IE open, and click on a link or a bookmark, the window will be open in the same process, thus the SessionID will be the same.

- If you explicitly start a new instance of IExplore.exe (for example by a double-click on the "IE" shortcut on your desktop), then the SessionID will be different.

The second possibility is not available in Firefox.

HTH,
Laurent

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Adlin at 6/10/2008 6:59 AM Gravatar
Hi Laurent,

I really appreciate the immediate feedback you have given for my query. Sorry to bother you again, still I've some doubts on the same. IE generates different SessionId in the below conditions.

1. cookieless="true".
2. Clicking a link in word document or outlook.

As per your first explanation, it should generate the same sessionID for the second instance right? Please clarify me if I am not in sync with your explanation.

Best Regards,
Adlin


# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Laurent at 6/10/2008 10:08 AM Gravatar
Hi Adlin,

I cannot test right now, but I suspect that clicking a link in a word document or outlook actually starts a new instance of the process. You can check it in the process explorer (in task manager). If you see one IExplore.exe before you click on the link, and 2 IExplore.exe after, then the sessionID will be different.

When I talked about "link" in my reply, I actually meant a link in a HTML page running in IE. For example, if you right click and select "open in new window", or if the link has target="_blank".

Another possible explanation is what I describe in this article: If you don't explicitly save something in the session, the sessionID will be different each time you reload the page.

HTH,
Laurent

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Amruth at 7/18/2008 9:39 AM Gravatar
Hi Laurent

I have an instance of IE open, and click on a link or button, will open a new window.
Each of these windows should have unique identifiers which can be used as part of a key to load data into session.

Can the unique value be a Session Id.
My understanding from the article above is that Session Id cannot be unique since the new window is truly not a new instance of IExplore.exe.

Is there an alternative way for me to create unique keys for each IE window while running in the same process.
Please help.

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Laurent at 7/19/2008 8:12 AM Gravatar
Hi Amruth,

No, the SessionID is linked to the process, not to the window. Like I wrote before, if you open a window through a link, the process remains the same, so both windows have the same SessionID.

You can however implement an ID store in JavaScript, and have it pass unique IDs to the window. A typical unique ID can be composed of the SessionID and of the ticks at the time of opening the new window.

Greetings,
Laurent

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Peter Pan at 8/8/2008 12:23 AM Gravatar
Thanks lauri,
You are now my favourite blogger ;-) You should wear one of those MVP caps dude

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Another friend at 8/8/2008 12:32 AM Gravatar
Hey,

My question is inverse. How can I get a new session ID after the session expires?

Session end event fires, session values disappear but still the same session id persisits. How to instruct asp.net to give the browser a new cookie without reopening in a new browser?

Thanks

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by vinod at 8/27/2008 9:48 AM Gravatar
can i set expiry time for session id cookie ?
where i have to set cookie expiry time?
how ?

# re: Another breaking change in ASP.NET 2.0: Session.SessionID

left by Rick Holc at 8/28/2008 4:54 PM Gravatar
I just tried a similar solution using global.asax. I created a blank global.asax file in Visual Studio. This file contains subroutines for Session_Start and Session_End that do not contain any code. I did not add any code to the subs but placed the file in my application and the SessionID problem went away. I now have a valid ID on each post back and refresh. I guess the existance of the Session_Start subroutine is all it takes to initialize the Session state and maintain it. Anyone have any other ideas why this is working?
Title  
Name
Email (never displayed)
Url
Comments   
Please add 2 and 2 and type the answer here:
Copyright © Laurent Bugnion