How to logout in an ASP.NET application with session – abandon, clear or remove

Introduction

"What to do with session when we logout in an ASP.NET application?" This is a basic question that should be clear in mind of every ASP.NET developer. Though this thing has been answered in many places, but i didnot found the collective ans that easily. I will try below to make the things simple and clear.

Let's Begin 

Normally when we store the session value for user we do some thing like this

Session.Add("User",Customer); 

User becomes the key for storing session and Customer class object becomes the value. This is just an expample as we all know that you can know you can store any type, content, value with a key in a session(Note that there are certain good practices or key pointers on what kind of data should be stored in session, will cover that in a seperate article later)

What this statement does is, it adds a session variable with key value pair and you depend on it to identify whether the user is logged in or logout.

Now coming back to our topic “How to logout?”. You can do three things here, Session.Remove(), Session.Clear(), or Session.Abandon(). But now we need to understand when to use what. Let me explain it one by one

1. Session.Clear()

It clears a session simple! OK that means it clears all the key value pairs stored in the session state collection but thats it. Nothing more. You will get rid of all key value pairs but the sessionid is still there and you can still identify the session state by comparing sessionid. The Session state collection still exist with the same session id. Use this in situation, say you have a shopping site the the user is still not logged in. Now say you want to clear a shopping cart. That means you will clear all session dependencies for anonymous user.

2. Session.RemoveAll()

This chap just calls the above clear method in its impementation, so for ease you can say there is no difference. See the following code: 

public sealed class HttpSessionState : ICollection, IEnumerable
{
   .....
   public void RemoveAll()
   {
       this.Clear();
   }
   .....
} 

3. Session.Remove(“key”)

It removes the specific session’s specific key value pair. Use this if you do not want to get rid of all key value pairs in session state collection but only a specific one. A typical usage is in scenario where you use a session variable to store state information across a section of a website, say you customer is using a coupon in there shopping cart checkout process. You decide that you want to store this information in session rather in database till the transaction is confirmed. So this session variable makes sense only inside the checkout process and you would wish to remove this variable when the process is complete or terminated.

4. Session.Abandon()

This is the absolute winner if your purpose for reading this article to find the absolute way to destroy everything in terms of session. It even destroys the session state collection and that particular sessionid. Moreover it also raises event Session_End inside global.asax, informing that mission is complete, at allows you to take some action based on the situation, say you want to decrement a counter for active users somewhere.

One thing to note here that Session.Clear remove items immediatly but Session.Abandan marks the session to be abandoned at the end of the current request. That simply means that suppose you tried to access value in code just after the session.abandon command was executed, it will be still there. So do not get confused if your code is just not working even after issueing session.abandon command and immideatly doing some logic with the session.

More Details : Garbage Collection

If you are thinking about resources, memory hence Garbage Collection, read on.

1. Session.Clear : Releases all key value pairs immideatly and make them available for garbage collection. But the Resource used by SessionState Collection are intact and booked as is.

2. Session.Abandon : Releases sessionstate itself to be garbage collected when chance arrives. Only point to note that it happens just before the current request is fulfilled.

Also i have seen many places that they use ultimate combination as following:

Session.Clear();
Session.RemoveAll();
Session.Abandon();
Response.Redirect("somepage.aspx"); 

Dont do that please. Just think about the purpose and use the appropriate command. Dont use it just because it works in all situation but just think unnecessary work that is going on to fullfill these commands all together. Just know what you are doing