0

I'm a beginner in ASP.NET and just a question on session state. I was reading a textbook which says:

the session state will be lost if the user closes and restarts the browser and the session actually remains in memory on the web server, because ASP.NET has no idea that the client has closed the browser or changed windows. The session will linger in memory, remaining inaccessible, until it eventually expires

I don't quite understand what does "remaining inaccessible" mean, because a cookie called "ASP.NET_SessionId" will be created for the first time when the session collection is used on client's machine, so even when the users close and then restart their browsers and access the page again, so the cookie contains session id will still get sent to the server, if the session still remains in memory on the web server, why it is inaccessible?

Alexei Levenkov
  • 96,782
  • 12
  • 124
  • 169
amjad
  • 3,048
  • 1
  • 11
  • 42
  • @WildWind "ASP.NET_SessionId" is created as session cookie so technically it will never "expire"... you probably mean "still present" and not "is not expired". – Alexei Levenkov Feb 25 '19 at 02:20

1 Answers1

0

ASP.NET_SessionId cookie is created as "session cookie" (not "persistent" one - How do I create a persistent vs a non-persistent cookie?) and when browser closes completely (rarely happens now days) browser will drop all "session" cookies. Since value of the cookie is cryptographically secure random number there is no practical way to reconstruct the value of the cookie and hence retrieve value of old session from the server. Data associated with the value of the cookie will sit in server's memory (or SQL if you use SQL session state) but there will be no requests that can ask for it. Eventually the data will be cleaned when server side expiration happen (or server IIS process shuts down in case of in-memory session state).

Note that most modern browsers don't actually "close session" when you close all instances so you rarely see such case in practice. You can always "clear all cookies" to see it happening.

Alexei Levenkov
  • 96,782
  • 12
  • 124
  • 169
  • the content of ASP.NET_SessionId is a secure random number, but this is the only session number that web server needs, isn't it? so when I use session and close the browser, I can see the ASP.NET_SessionId still exist(for 20mins), so why if I kame another question, the server cannot access the session again? – amjad Feb 25 '19 at 02:40
  • 1
    @amjad Where do you "can see the ASP.NET_SessionId still exist"? The original statement you are asking about is for the case when browser lost that value completely. If you save request with that cookie (i.e. using Fiddler) you can replay it against the server and server will use the same data stored in session state (as long as it is not expired/lost on server side)... Also not clear what you mean " if I kame another question". Side note: "session state" and "session cookies" are unrelated concepts, only common thing is ASP.Net session state uses session cookies to store id. – Alexei Levenkov Feb 25 '19 at 04:41
  • OK, so you mean every time we close the browser, the asp.net session id will be erased. But let's say I write down this session id and send it to my friend, so when he tries to make a request to the server, the server will display my info to him? – amjad Feb 25 '19 at 04:45
  • 1
    @amjad yes, the value of that cookie is the only ID server needs to use the same session data. If you grab the value and send to your friend they indeed can access data from your session associated with that cookies (as long as your friends have some basic knowledge of HTTP tools like Fiddler or at least able to use Google/Bing for "set cookie by name using JavaScript") – Alexei Levenkov Feb 25 '19 at 04:49