SessionID is still the same after Session.Abandon call

I’m writing some logging code that is based on SessionID…

However, when I log out (calling Session.Abandon), and log in once again, SessionID is still the same. Basically every browser on my PC has it’s own session id “attached”, and it won’t change for some reason :/

Any ideas what is going on?

My Session config looks like this:

       timeout="1" />

Thanks, Paweł

Here is Solutions:

We have many solutions to this problem, But we recommend you to use the first solution because it is tested & true solution that will 100% work for you.

Solution 1

Check this article which explains the process on session.abandon

Taken from above link –

“When you abandon a session, the session ID cookie is not removed from the browser of the user. Therefore, as soon as the session has been abandoned, any new requests to the same application will use the same session ID but will have a new session state instance”

Solution 2

This is a default behavior by design as stated here:

Session identifiers for abandoned or expired sessions are recycled by default. That is, if a request is made that includes the session identifier for an expired or abandoned session, a new session is started using the same session identifier. You can disable this by setting regenerateExpiredSessionId attribute of the sessionState configuration element to true

You can disable this setting as mentioned above.

EDIT: Setting regenerateExpiredSessionId attribute to true works only for cookieless sessions. To overcome your problem, you can consider to implement a custom class that inherits SessionIDManager class. You can get information about that here and here.

Solution 3

This is an old post but if someone is still looking for answers, here is a complete and step-by-step solution on how to achieve a clean logout with a new session ID every time.

Please note this article applies to cookie-enabled (cookieless=false) sites only.

Step (1) Modify your web.config file & add “regenerateExpiredSessionID” flag as under –

<sessionState mode="InProc" cookieless="false" regenerateExpiredSessionId="true" />

Step (2) Add the following code in your logout event –

Response.Cookies.Add(New HttpCookie("ASP.NET_SessionId", ""));
Response.redirect(to you login page);

Step (3) Add the following code in your login page’s page_load event –


Step 2 and 3 serve one IMPORTANT purpose. This code makes sure a brand new Session ID is generated after you click the “Login” button. This prevents Weak Session Management (Session Fixation vulnerability) which will likely be spotted during a 3rd party Penetration Testing of your site.

Hope this helps.

Solution 4

Here’s what worked for me, the only caveat is that this code need to be separated from your login routine.

Response.Cookies("ASP.NET_SessionId").Expires = DateTime.Now.AddYears(-30)

It will not take effect until the page is finished loading. In my application I have a simple security routine, that forces a new ID, like this:

if session("UserID") = "" then 
    Response.Cookies("ASP.NET_SessionId").Expires = DateTime.Now.AddYears(-30)
end if

Solution 5

You may explicitly clear the session cookie. You should control the cookie name by configuration and use same name while clearing.

Clearing session cookie when session is abandoned will force ASP.NET to create new session & sessionid for next request. BTW, yet another way to clear the session cookie is to use SessionIDManager.RemoveSessionID method.

Note: Use and implement solution 1 because this method fully tested our system.
Thank you 🙂

All methods was sourced from or, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply