Duplicate Session ID

Question

Hi I am working on Sessions and don't know whey the Session ID is created the same as the previous one.

I have a log table which tells which user has logged in, its time and stores its unique Session ID. When it log outs system checks for the Session ID n changes its status to log out.

But when user is logged in again the Session ID created is the same i don't know whats the mistake.

The Code is given below

log in cs file

HttpContext.Current.Session["user"]=user;
HttpContext.Current.Session["sessionid"]=HttpContext.Current.Session.SessionID;

when user log outs

log out cs file

HttpContext.Current.Session.Abandon();

Waiting for your help. Thanks in advance

Choose the best answer if any of the answers worked for u – Subin Jacob Nov 27 '13 at 11:32 — Subin Jacob, Nov 27 '13 at 11:32

score 5 · Answer 1 · answered Nov 27 '13 at 08:41

5

ASP.NET doesn't guarantee that the session id is unique beyond the lifetime of that session (ie. there's no living session with the same ID), I'm affraid. You should just use your own unique identifier if you want that functionality.

answered Nov 27 '13 at 08:41

Luaan

62,244
7
97
116

score 5 · Accepted Answer · edited May 23 '17 at 12:17

You can use Guid.NewGuid().ToString() instead. ASP.NET doesn't guarantee that the session id is unique beyond the lifetime of the session.

While each generated GUID is not guaranteed to be unique, the total number of unique keys >(2^128 or 3.4×10^38) is so large that the probability of the same number being generated twice >is very small. For example, consider the observable universe, which contains about 5×10^22 >stars; every star could then have 6.8×10^15 universally unique GUIDs.

You can always trust the GUID to be unique always. Thats the real purpose of GUID. This SO Question asks about unique Id.

score 2 · Answer 3 · answered Nov 27 '13 at 08:47

You can use GUID as suggested by Subin.

While time of creating sessions for a user, use the code below.

HttpContext.Current.Session["sessionid"]=Guid.NewGuid().ToString();

While Saving it to DB, use the reverse:

User.dbField = HttpContext.Current.Session["sessionid"]

score 1 · Answer 4 · answered Nov 27 '13 at 12:35

Since the users are members on your website, they should already have a uniqueID, whether this is a email address or an Id? You can use this to make entries into the Login table.

Note: There is a caveat to this process; it will work fine if the user clicks on the logout button, you can remove the uniqueId from the Login Table or update status to logged out, whichever way you have this set up. But, if the user just closes the browser, no event will be fired to perform the same action, so the user will remain logged in.

You should also look at possible solutions for dealing with the clean up of users who have not clicked on the logout button.

Duplicate Session ID

4 Answers4