退出登录的时候,重置session id
如果不重置的话,换其他账号再登录的话,还会使用同一个session id
https://stackoverflow.com/questions/24672416/how-to-create-session-id-for-every-login-in-asp-net-mvc
Try this when you abandon session/Logout:
Session.Abandon(); Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));
By clearing out that cookie, a new session with a new session ID will be created after second login.
HttpResponse.Cookies and HttpRequest.Cookies
ASP.NET includes two intrinsic cookie collections. The collection accessed through the Cookies collection of HttpRequest contains cookies transmitted by the client to the server in the Cookie
header. The collection accessed through the Cookies collection of HttpResponse contains new cookies created on the server and transmitted to the client in the Set-Cookie
header.
After you add a cookie by using the HttpResponse.Cookies collection, the cookie is immediately available in the HttpRequest.Cookies collection, even if the response has not been sent to the client.
What is the difference between a Session and a Cookie?
答案一
Sessions
Sessions are stored per-user in memory(or an alternative Session-State) on the server. Sessions use a cookie(session key) to tie the user to the session. This means no "sensitive" data is stored in the cookie on the users machine.
Sessions are generally used to maintain state when you navigate through a website. However, they can also be used to hold commonly accessed objects. Only if the Session-state is set to InProc, if set to another Session-State mode the object must also serializable.
Session["userName"] = "EvilBoy"; if(Session["userName"] != null) lblUserName.Text = Session["userName"].ToString();
Cookies
Cookies are stored per-user on the users machine. A cookie is usually just a bit of information. Cookies are usually used for simple user settings colours preferences ect. No sensitive information should ever be stored in a cookie.
You can never fully trust that a cookie has not been tampered with by a user or outside source however if security is a big concern and you must use cookies then you can either encrypt your cookies or set them to only be transmitted over SSL. A user can clear his cookies at any time or not allow cookies altogether so you cannot count on them being there just because a user has visited your site in the past.
//add a username Cookie
Response.Cookies["userName"].Value = "EvilBoy"; Response.Cookies["userName"].Expires = DateTime.Now.AddDays(10); //Can Limit a cookie to a certain Domain Response.Cookies["domain"].Domain = "Stackoverflow.com"; //request a username cookie if(Request.Cookies["userName"] != null) lblUserName.Text = Server.HtmlEncode(Request.Cookies["userName"].Value);
sidenote
It is worth mentioning that ASP.NET also supports cookieless state-management
答案二
Cookie is a client side storage of your variables. It stored on client machine by browser physically. It's scope is machine wide. Different users at same machine can read same cookie.
Because of this :
- You should not store sensitive data on cookie.
- You should not store data that belongs to one user account.
- Cookie has no effect on server resources.
- Cookie expires at specified date by you.
Session is a server side storage of your variables. Default, it stored on server's memory. But you can configure it to store at SqlServer. It's scope is browser wide. Same user can run two or more browsers and each browser has it's own session.
Because of this :
- You can save sensitive data in session.
- You should not save everything in session. it's waste of server resources.
- After user closes browser, session timeout clears all information. (default is 20 minutes)
Cache VS Session VS cookies?
State management is a critical thing to master when coming to Web world from a desktop application perspective.
Session
is used to store per-user information for the current Web session on the server. It supports using a database server as the back-end store.Cookie
should be used to store per-user information for the current Web session or persistent information on the client, therefore client has control over the contents of a cookie.Cache
object is shared between users in a single application. Its primary purpose is to cache data from a data store and should not be used as a primary storage. It supports automatic invalidation features.Application
object is shared between users to store application-wide state and should be used accordingly.
If your application is used by a number of unauthenticated users, I suggest you store the data in a cookie. If it requires authentication, you can either store the data in the DB manually or use ASP.NET profile management features.
Exploring Session in ASP.NET
https://www.codeproject.com/Articles/32545/Exploring-Session-in-ASP-Net#43