Hi,
I am using session for my pre and post login like below,
protected void page_onload(object sender, eventargs e)
{
if(string.IsNullOrEmpty(Convert.Tostring(session["LoginId"])))
session["LoginId"] = "Guest";
}
protected void page_btnLogin_Click(object sender, eventargs e)
{
session["LoginId"] = "SomeUserId";
response.redirect("PostloginPageURL");
}
protected void page_onload(object sender, eventargs e)
{
if(!string.Equals(Convert.Tostring(session["LoginId"]),"SomeUserId"))
response.redirect("loginPageURL");
else
}
Above if you see, i am using same session to manage both my pre and post login. This may lead to session hijacking by using the session id.
So after a long time search i came to a conclution that one need to change the sessionId, because both pre and post login session has same sessionid.
Again doing some search i got the code of creating new sessionid as below
protected void page_btnLogin_Click(object sender, eventargs e)
{
session.Abandon();
Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));
session["LoginId"] = "SomeUserId";
}
Above code is successful in generating new sessionid.
But i am unable to retrieve my saved value. i.e I am unable to get value of session on the other page.
I tried
all below:
Removed session.Abandon(); and checked ---> FAILED
Tried response.redirect("MyUrl",false) ---> FAILED
Tried Server.transfer("MyUrl") ---> FAILED
Valid answers are appreciated.
Thank you.