SyntaxFix

[asp.net] What is the difference between Session.Abandon() and Session.Clear()

What is the difference between destroying a session and removing its values? Can you please provide an example demonstrating this?

I searched for this question, but don't grasp total answer. Some answers are:

  • Session.Abandon() destroys the session
  • Session.Clear() just removes all values

A friend told me this:

Clearing the session will not unset the session, it still exists with the same ID for the user but with the values simply cleared.

Abandon will destroy the session completely, meaning that you need to begin a new session before you can store any more values in the session for that user.

The below code works and doesn't throw any exceptions.

Session.Abandon();
Session["tempKey1"] = "tempValue1";

When you Abandon() a Session, you (or rather the user) will get a new SessionId

When I test Session, it doesn't makes any change when I Abandon the session.

I just find one difference: session.Abandon() raises Session_End event

This question is related to asp.net session asp.net-session

The answer is

Existence of sessionid can cause the session fixation attack that is one of the point in PCI compliance. To remove the sessionid and overcome the session fixation attack, read this solution - How to avoid the Session fixation vulnerability in ASP.NET?.

this code works and dont throw any exception:

Session.Abandon();  
Session["tempKey1"] = "tempValue1";

It's because when the Abandon method is called, the current Session object is queued for deletion but is not actually deleted until all of the script commands on the current page have been processed. This means that you can access variables stored in the Session object on the same page as the call to the Abandon method but not in any subsequent Web pages.

For example, in the following script, the third line prints the value Mary. This is because the Session object is not destroyed until the server has finished processing the script.

<% 
  Session.Abandon  
  Session("MyName") = "Mary" 
  Reponse.Write(Session("MyName")) 
%>

If you access the variable MyName on a subsequent Web page, it is empty. This is because MyName was destroyed with the previous Session object when the page containing the previous example finished processing.

from MSDN Session.Abandon

This is sort of covered by the various responses above, but the first time I read this article I missed an important fact, which led to a minor bug in my code...

Session.Clear() will CLEAR the values of all the keys but will NOT cause the session end event to fire.

Session.Abandon() will NOT clear the values on the current request. IF another page is requested, the values will be gone for that one. However, abandon WILL throw the event.

So, in my case (and perhaps in yours?), I needed Clear() followed by Abandon().

Clearing a session removes the values that were stored there, but you still can add new ones there. After destroying the session you cannot add new values there.

this code works and dont throw any exception:

Session.Abandon();  
Session["tempKey1"] = "tempValue1";

One thing to note here that Session.Clear remove items immediately but Session.Abandon marks the session to be abandoned at the end of the current request. That simply means that suppose you tried to access value in code just after the session.abandon command was executed, it will be still there. So do not get confused if your code is just not working even after issuing session.abandon command and immediately doing some logic with the session.

clear-its remove key or values from session state collection..

abandon-its remove or deleted session objects from session..

When you Abandon() a Session, you (or rather the user) will get a new SessionId (on the next request). When you Clear() a Session, all stored values are removed, but the SessionId stays intact.

Session.Abandon()

will destroy/kill the entire session.

Session.Clear()

removes/clears the session data (i.e. the keys and values from the current session) but the session will be alive.

Compare to Session.Abandon() method, Session.Clear() doesn't create the new session, it just make all variables in the session to NULL.

Session ID will remain same in both the cases, as long as the browser is not closed.

Session.RemoveAll()

It removes all keys and values from the session-state collection.

Session.Remove()

It deletes an item from the session-state collection.

Session.RemoveAt()

It deletes an item at a specified index from the session-state collection.

Session.TimeOut()

This property specifies the time-out period assigned to the Session object for the application. (the time will be specified in minutes).

If the user does not refresh or request a page within the time-out period, then the session ends.

I think it would be handy to use Session.Clear() rather than using Session.Abandon().

Because the values still exist in session after calling later but are removed after calling the former.

Source: Stackoverflow.com

Examples related to asp.net

RegisterStartupScript from code behind not working when Update Panel is used You must add a reference to assembly 'netstandard, Version=2.0.0.0 No authenticationScheme was specified, and there was no DefaultChallengeScheme found with default authentification and custom authorization How to use log4net in Asp.net core 2.0 Visual Studio 2017 error: Unable to start program, An operation is not legal in the current state How to create roles in ASP.NET Core and assign them to users? How to handle Uncaught (in promise) DOMException: The play() request was interrupted by a call to pause() ASP.NET Core Web API Authentication Could not load file or assembly 'CrystalDecisions.ReportAppServer.CommLayer, Version=13.0.2000.0 WebForms UnobtrusiveValidationMode requires a ScriptResourceMapping for jquery

Examples related to session

What is the best way to manage a user's session in React? Spring Boot Java Config Set Session Timeout PHP Unset Session Variable How to kill all active and inactive oracle sessions for user Difference between request.getSession() and request.getSession(true) PHP - Session destroy after closing browser Get Current Session Value in JavaScript? Invalidating JSON Web Tokens How to fix org.hibernate.LazyInitializationException - could not initialize proxy - no Session How can I get session id in php and show it?

Examples related to asp.net-session

What is the difference between Session.Abandon() and Session.Clear() How can I set the Secure flag on an ASP.NET Session Cookie? How to clear out session on log out

Tags

One-to-one Fedora11 Maven-glassfish-plugin Ess Repost Isql Languageservice Service-discovery Nutch Centralized Aggregate Loess Inline-xml Signatures Scientific-software Gsoap Source-control-bindings Lexical-scope Num-lock Password-confirmation Opensolaris Python-2.x Bitbucket Business-process-management Ioexception Nullptr Activity-state Web-analytics-tools Tinyxml Silverlight-toolkit Solr Hypertalk Winavr Bitsharp Query-string Ie-mobile Directdraw Rmysql Hoisting Android-camera-intent Image.createimage Hecl Msbuild-4.0 Low-level-code Parity Lorem-ipsum Preemption Buildout Progressdialog Flash-cs3 Capitalization Windows-server Minify Inverse-match Monad-transformers Session-replication Microsoft.mshtml Qnx Windows-xp-sp3 Skip-take Exploit Illegal-characters Docking Zend-filter Implicit-surface Wix3 Methodbase Flash-10 Response Clutter Cfquery Iphoto Autoconf Application-singleton Ima4 Amsmath Try-catch Dimensionality-reduction Exe Fieldset Cobertura Firstdata Click Contenttype No-cache Email-threading Signal-handling Self-contained Event-capturing Class-attribute Query-parameters Zend-test Parse-tree Xmppframework Compiler-options Digital-certificate Google-goggles Read-eval-print-loop Geocode Inline-scripting