Changing the session ID programmatically.

In this blog, I will show how to change the Assigned session Id programmatically.

You may ask : why I need to change the automatically generated the user session id ? well there is many possible reasons like :

  • You may use the session ID to track the User activities or to implement audit trails in your system.
  • Preventing Session Hijacking by generating a new session id after the user logged in.
  • Removing the user session after logging out.

There could be more reasons that I don't know about them , if you know more reasons feel  free to post it in the comments section .

Changing the Session id is an easy task in asp.net.You just need to use SessionIDManager class.

The class contains a lot of helpful methods ,I will list some of them :

  • CreateSessionID : returns a unique session identifier that is a randomly generated number encoded into a 24-character string.
  • GetSessionID :  gets the session-identifier value from the current Web request.
  • SaveSessionID : saves a newly created session identifier to the HTTP response.

The rest of methods and class members can be found here.

I will now show a simple code that will print the Current SessionId and Create a new session id and save it to the context.

[Code provided in C# ]

        SessionIDManager Manager = new SessionIDManager();
 
        string NewID = Manager.CreateSessionID(Context);
        string OldID = Context.Session.SessionID;
        bool redirected = false;
        bool IsAdded = false;
        Manager.SaveSessionID(Context, NewID,out redirected, out IsAdded);
        Response.Write("Old SessionId Is : " + OldID);
        if (IsAdded)
        {
            Response.Write("<br/> New Session ID Is : " + NewID);
        }
        else
        {
            Response.Write("<br/> Session Id did not saved : ");
        }

Hope it helps.

9 Comments

  • The last two parameters to the SaveSessionID method are "out" parameters, so your code won't even compile. You need to change it to:

    bool isRedirected, cookieAdded;
    Manager.SaveSessionID(Context, NewID, out isRedirected, out cookieAdded);

  • Thanks ,
    I fixed the code.
    Actually the code was originally written in VB ,it was converted to c# using a tool.

  • Manager.SaveSessionID(Context, NewID,out redirected, out IsAdded); is not working.

    the session id remains the same as the old id afetr executing the above.

    I have not added the following code in the web.comfig,
    CookeyLess= "true" and RegenerateExpiredSessionID = "true"

    Do i need to add this?

  • After executing the above cde im getting tow session IDs as output because we displat NewID and not Session.SessionID. On replacing NewID with session.sessionid we will find that the id has not changed.

    Though we are creating a new session id im not able to set the browsers session id as that new id.

    Can you help me with this? I will not get through the AppScan if i dont get this right!

  • Dear Friend,

    I have used the code provided by you in this article. The Session ID is getting changed successfully. However the Sessions that I have created before this is becoming null. Can you help me to over come this situation.

    For Eg:
    1. At the Begining the I have created few sessions with the name Session["Name"] , Session["ID"], and let us assume the session id is 01234567890
    2. I have changed the Session ID programtically then the session id is 09876543210(Let us assume).
    3. After changing the SessionID programatically the session value which I have created earlier is becoming nul..

    Could you please let me know "How would I fix this".

    Thanks and Regards,

    G.V.N.Sandeep

  • When the session id is changed pro-grammatically our data are lost or associated with old session id how they associated with new session id?

  • Thanks for the code. I needed to destroy the old session id once the payment had gone through when using sessionstate = sqlserver. That way if they went back in to buy more it wasn't using the same shop cart. Thanks again.

  • have you tried to call Session.Abandon() method ? it should destroy the old session values.

  • Can i have the code in VB.net plz?

Comments have been disabled for this content.