Persisting Session Between Different Browser Instances
Introduction:
By default inproc session's
identifier cookie is saved in browser memory. This cookie is
known as non persistent cookie identifier. This simply means
that if the user closes his browser then the cookie is
immediately removed. On the other hand cookies which stored
on the user’s hard drive and can be reused for later visits
are called persistent cookies. Persistent cookies are less
used than nonpersistent cookies because of security. Simply
because nonpersistent cookies makes session hijacking
attacks more difficult and more limited. If you are using
shared computer then there are lot of chances that your
persistent session will be used by other shared members.
However this is not always the case, lot of users desired
that their session will remain persisted even they open two
instances of same browser or when they close and open a new
browser. So in this article i will provide a very simple way
to persist your session even the browser is closed.
Description:
Let's create a simple ASP.NET Web
Application. In this article i will use Web Form but it also
works in MVC. Open Default.aspx.cs and add the following
code in Page_Load.
protected void Page_Load(object sender, EventArgs e)
{
if (Session["Message"] != null)
Response.Write(Session["Message"].ToString());
Session["Message"] = "Hello, Imran";
}
This page simply shows a message if a session exist previously and set the session.
Now just run the application, you will just see an
empty page on first try. After refreshing the page you will
see the Message "Hello, Imran". Now just close the
browser and reopen it or just open another browser instance,
you will get the exactly same behavior when you run your
application first time . Why the session is not persisted
between browser instances. The simple reason is non
persistent session cookie identifier. The session cookie
identifier is not shared between browser instances. Now
let's make it persistent.
To make your
application share session between different browser
instances just add the following code in global.asax.
protected void Application_PostMapRequestHandler(object
sender, EventArgs e)
{
if (Request.Cookies["ASP.NET_SessionIdTemp"] != null)
{
if
(Request.Cookies["ASP.NET_SessionId"] == null)
Request.Cookies.Add(new HttpCookie("ASP.NET_SessionId",
Request.Cookies["ASP.NET_SessionIdTemp"].Value));
else
Request.Cookies["ASP.NET_SessionId"].Value =
Request.Cookies["ASP.NET_SessionIdTemp"].Value;
}
}
protected void
Application_PostRequestHandlerExecute(object sender,
EventArgs e)
{
HttpCookie
cookie = new HttpCookie("ASP.NET_SessionIdTemp",
Session.SessionID);
cookie.Expires =
DateTime.Now.AddMinutes(Session.Timeout);
Response.Cookies.Add(cookie);
}
This code simply state that during
Application_PostRequestHandlerExecute(which is executed
after HttpHandler) just
add a persistent cookie
ASP.NET_SessionIdTemp which contains the value of
current user SessionID and sets the timeout to current user
session timeout.
In
Application_PostMapRequestHandler(which is executed just
before th session is restored) we just check whether the
Request cookie contains ASP.NET_SessionIdTemp. If yes
then just add or update ASP.NET_SessionId cookie with
ASP.NET_SessionIdTemp. So when a new browser instance
is open, then a check will made that if
ASP.NET_SessionIdTemp exist then simply add or update
ASP.NET_SessionId cookie with
ASP.NET_SessionIdTemp.
So run
your application again, you will get the last closed browser
session(if it is not expired).
Summary:
Persistence session is great way to
increase the user usability. But always beware the security
before doing this.
However there are some cases in
which you might need persistence session. In this article i
just go through how to do this simply. So hopefully you will
again enjoy this simple article too.