URL copy issue and session not expiring

Question

Hi, My web application uses SQL Server for StateManagement. I have two problems because of this: 1. The session-id is part of url. Therefore if we copy and paste this url in a new browser, I continue to work with the older session. This is a huge security threat, please help. 2. If only the tab is closed, the session doesnot expire immediatly. Please help. Thanks Shweta

Shweta Mishra · Answer

Please someone reply as this is very urgent

Shweta Mishra · Answer

As you said, javascript's window.onbeforeunload() event. it is fired on close of browser window so this works only on browser close, what can we do for tab close?

Shweta Mishra · Answer

Hi Ajay, Following is the content in our sessionstate tag: mode = " SQLServer " sqlConnectionString = " user id=; password=; Data Source=; " cookieless = " UseUri "> We cannot use any other method; as there are almost 10 services using this and it will not be possible to get into any other mode for session management Please help The session does expire immediatly if browser exit button is used but nor when tab exit button is user We are using VS 2012 As you said, javascript's window.onbeforeunload() event. it is fired on close of browser window so this works only on browser close, what can we do for tab close? Hi Jignesh, Thanks for the articles and this is the problem we are facing by using cooklieless session where session is stored in url Even if an ignorant user shares his url, he is actually sharing his user informationa and his friend logs in as he This is a huge security threat and it is very important for me to find a solution The post from code-project gives a solution and I will try to work on this to get this fix done Thanks Shweta

Jignesh Trivedi · Answer

In ASP.net, session state involves providing a cookie and The cookie contains a session identifier which is used by the website to match visitors up with their respective session values. If we don't want to carry sessionid in url we have option to use cookie less session Please refer http://www.codeproject.com/Tips/627029/Cookieless-Session-in-ASP-NET http://msdn.microsoft.com/en-us/library/aa479314.aspx for your second problem, this is because of your cookie does not expire immediately. hope this will help you.

Ajay Patel · Answer

1. Check in SessionState tag. cookieless should not true 2. Session does not expire immediately. It is expire on time out. So if you want sesssion to expire, then do it manually. You can call server side function in javascript's window.onbeforeunload() event. it is fired on close of browser window

URL copy issue and session not expiring

Answers (5)