ASP NET Session SessionID changes between requests

Question

Why does the property SessionID on the Session-object in an ASP NET-page change between requests   I have a page like this        lt div gt      SessionID   lt    SessionID   gt   lt  div gt        And the output keeps changing every time I hit F5  independent of browser

User · Answer

Session ID resetting may have many causes. However any mentioned above doesn't relate to my problem. So I'll describe it for future reference.

In my case a new session created on each request resulted in infinite redirect loop. The redirect action takes place in OnActionExecuting event.

Also I've been clearing all http headers (also in OnActionExecuting event using Response.ClearHeaders method) in order to prevent caching sites on client side. But that method clears all headers including informations about user's session, and consequently all data in Temp storage (which I was using later in program). So even setting new session in Session_Start event didn't help.

To resolve my problem I ensured not to remove the headers when a redirection occurs.

Hope it helps someone.

User · Answer

In my case this was happening a lot in my development and test environments   After trying all of the above solutions without any success I found that I was able to fix this problem by deleting all session cookies   The web developer extension makes this very easy to do   I mostly use Firefox for testing and development  but this also happened while testing in Chrome   The fix also worked in Chrome   I haven t had to do this yet in the production environment and have not received any reports of people not being able to log in   This also only seemed to happen after making the session cookies to be secure   It never happened in the past when they were not secure

User · Answer

I ran into this issue a different way   The controllers that had this attribute  SessionState SessionStateBehavior ReadOnly   were reading from a different session even though I had set a value in the original session upon app startup   I was adding the session value via the  layout cshtml  maybe not the best idea    It was clearly the ReadOnly causing the issue because when I removed the attribute  the original session  and SessionId  would stay in tact   Using Claudio s Microsoft s solution fixed it

User · Answer

Be sure that you do not have a session timeout that is very short  and also make sure that if you are using cookie based sessions that you are accepting the session   The FireFox webDeveloperToolbar is helpful at times like this as you can see the cookies set for your application

User · Answer

in my case it was because I was modifying session after redirecting from a gateway  in an external application  so because I was using IP instead on localhost in that page url it was actually considered different website with different sessions   In summary      pay more attention if you are debugging a hosted application on IIS instead of IIS express and mixing your machine http   Ip and http   localhost in various pages

User · Answer

my problem was that we had this set in web config    lt httpCookies httpOnlyCookies  true  requireSSL  true    gt   this means that when debugging in non-SSL  the default   the auth cookie would not get sent back to the server   this would mean that the server would send a new auth cookie  with a new session  for every request back to the client   the fix is to either set requiressl to false in web config and true in web release config or turn on SSL while debugging

User · Answer

In my case I figured out that the session cookie had a domain that included www  prefix  while I was requesting page with no www   Adding www  to the URL immediately fixed the problem  Later I changed cookie s domain to be set to  mysite com instead of www mysite com

User · Answer

This is the reason     When using cookie-based session state  ASP NET does not allocate storage for session data until the Session object is used  As a result  a new session ID is generated for each page request until the session object is accessed  If your application requires a static session ID for the entire session  you can either implement the Session Start method in the application s Global asax file and store data in the Session object to fix the session ID  or you can use code in another part of your application to explicitly store data in the Session object    http   msdn microsoft com en-us library system web sessionstate httpsessionstate sessionid aspx  So basically  unless you access your session object on the backend  a new sessionId will be generated with each request  EDIT  This code must be added on the file Global asax  It adds an entry to the Session object so you fix the session until it expires   protected void Session Start Object sender  EventArgs e         Session  init     0

User · Answer

I m on  NET Core 2 1 and I m well aware that the question isn t about Core  Yet the internet is lacking and Google brought me here so hoping to save someone a few hours     Startup cs  services AddCors o   gt  o AddPolicy  AllowAll   builder   gt                                builder                      WithOrigins  http   localhost 3000          important                      AllowCredentials                            important                      AllowAnyMethod                        AllowAnyHeader             obviously just for testing                    client js  const resp   await fetch  https   localhost 5001 api user                 method   POST               credentials   include                                important             headers                     Content-Type    application json                             body  JSON stringify data               Controllers LoginController cs  namespace WebServer Controllers        Route  api  controller          ApiController      public class UserController   ControllerBase                HttpPost          public IEnumerable lt string gt  Post  FromBody LoginForm lf                        string prevUsername   HttpContext Session GetString  username                Console WriteLine  Previous username      prevUsername                HttpContext Session SetString  username   lf username                return new string     lf username  lf password                        Notice that the session writing and reading works  yet no cookies seem to be passed to the browser  At least I couldn t find a  Set-Cookie  header anywhere

User · Answer

Another possibility that causes the SessionID to change between requests  even when Session OnStart is defined and or a Session has been initialized  is that the URL hostname contains an invalid character  such as an underscore    I believe this is IE specific  not verified   but if your URL is  say  http   server name app  then IE will block all cookies and your session information will not be accessible between requests   In fact  each request will spin up a separate session on the server  so if your page contains multiple images  script tags  etc   then each of those GET requests will result in a different session on the server   Further information  http   support microsoft com kb 316112

User · Answer

Using Neville s answer  deleting requireSSL   true  in web config  and slightly modifying Joel Etherton s code  here is the code that should handle a site that runs in both SSL mode and non SSL mode  depending on the user and the page  I am jumping back into code and haven t tested it on SSL yet  but expect it should work - will be too busy later to get back to this  so here it is   if  HttpContext Current Response Cookies Count  gt  0                        foreach  string s in HttpContext Current Response Cookies AllKeys                                if  s    FormsAuthentication FormsCookieName    s ToLower       asp net sessionid                                         HttpContext Current Response Cookies s  Secure   HttpContext Current Request IsSecureConnection

User · Answer

This was changing for me beginning with  NET 4 7 2 and it was due to the SameSite property on the session cookie  See here for more info  https   devblogs microsoft com aspnet upcoming-samesite-cookie-changes-in-asp-net-and-asp-net-core   The default value changed to  Lax  and started breaking things  I changed it to  None  and things worked as expected

User · Answer

There is another  more insidious reason  why this may occur even when the Session object has been initialized as demonstrated by Cladudio   In the Web config  if there is an  lt httpCookies gt  entry that is set to requireSSL  true  but you are not actually using HTTPS  for a specific request  then the session cookie is not sent  or maybe not returned  I m not sure which  which means that you end up with a brand new session for each request   I found this one the hard way  spending several hours going back and forth between several commits in my source control  until I found what specific change had broken my application

User · Answer

My issue was with a Microsoft MediaRoom IPTV application  It turns out that MPF MRML applications don t support cookies  changing to use cookieless sessions in the web config solved my issue   lt sessionState cookieless  true     gt    Here s a REALLY old article about it  Cookieless ASP NET

[asp.net] ASP.NET: Session.SessionID changes between requests

Examples related to asp.net

Examples related to session

Examples related to sessionid