locked
Session values not clearing after using session.clear and session.abandon RRS feed

  • Question

  • User-517437916 posted

    Hi everyone,

    After running penetration tests on our site, our IT Security pointed out that session id's on our server doesn't get cleared out after the users log out.

    our code to clear the session is as follows:

    Session.Contents.Clear()
    Session.Contents.RemoveAll()
    Session.Contents.Abandon()
    Session.Abandon()
    
    Dim Cookie1 As HttpCookie = New HttpCookie(FormsAuthentication.FormsCookieName, "")
    Cookie1.Expires = DateTime.Now.AddYears(-1)
    Response.Cookies.Add(Cookie1)
    
    Dim Cookie2 As HttpCookie = New HttpCookie("ASP.NET_SessionId", "")
    Cookie2.Expires = DateTime.Now.AddYears(-1)
    Response.Cookies.Add(Cookie2)
    
    FormsAuthentication.SignOut()
    Response.Redirect("~/login.aspx")

    We confirmed this by having UserA log in and forging cookies based on that login. After UserA logs out, we log in UserB and as expected, we acquired all the session values stored in UserA's sessionID. 

    Is there any other way to clear the session data?

    Thanks in advance!

    Monday, July 13, 2015 6:04 AM

Answers

  • User281315223 posted

    The Session.Clear() and Session.Abandon() methods should both be sufficient and the FormsAuthentication.SignOut() method should do it's job clearing out any authentication-related cookies as well.

    So you should be able to use the following which should ensure everything gets cleared out :

    Session.Clear();
    Session.Abandon();
    FormsAuthentication.SignOut();
    FormsAuthentication.RedirectToLoginPage();

    I suppose that caching could be a possible culprit in this case, but as far as the code that you provided, that should be sufficient.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, July 13, 2015 8:36 AM
  • User-517437916 posted

    Hi all,

    Thanks for all your responses. The issue on the session was resolved but we still don't know the exact reason why this is happening. We redid the process of logging and verifying the users. The process was still similar to the old one but, just as strange, the session problem disappeared. I am still on the process of comparing the old code with the new one.

    I will post on the findings if we pinpoint the exact culprit causing the session to persist.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, July 21, 2015 9:03 PM

All replies

  • User281315223 posted

    The Session.Clear() and Session.Abandon() methods should both be sufficient and the FormsAuthentication.SignOut() method should do it's job clearing out any authentication-related cookies as well.

    So you should be able to use the following which should ensure everything gets cleared out :

    Session.Clear();
    Session.Abandon();
    FormsAuthentication.SignOut();
    FormsAuthentication.RedirectToLoginPage();

    I suppose that caching could be a possible culprit in this case, but as far as the code that you provided, that should be sufficient.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, July 13, 2015 8:36 AM
  • User-517437916 posted
    Hi Rion,

    Thanks for the reply.

    We did set caching to no-store and disabled kernel cache before the said test... do we need to renable the cache?

    The only time the session gets cleared is when the session timeout is reached
    Monday, July 13, 2015 9:26 AM
  • User281315223 posted

    We did set caching to no-store and disabled kernel cache before the said test... do we need to renable the cache?

    This should be fine, my concern was that caching was actually enabled and was causing some artifact data to be served from the cache when it shouldn't be.

    The only time the session gets cleared is when the session timeout is reached

    The Session should be getting cleared via the Session.Abandon() or Session.Clear() methods, however it's important to remember that these are not going to be performed until AFTER the request they are called in has completed. Could you post an example of code where you are calling / referencing the Session?

    Monday, July 13, 2015 9:42 AM
  • User-517437916 posted

    We store data to session like this

    Session("UserData") = txtUserData.Text

    then we retrieve the data by

    txtUserData.Text = Session("UserData")

    If I am not mistaken, we should be getting null values on the keyes after Session.Clear() is called. But even that doesn't happen. 

    Monday, July 13, 2015 7:09 PM
  • User281315223 posted

    If I am not mistaken, we should be getting null values on the keyes after Session.Clear() is called.

    Are you attempting to retrieve the values within the same request like the following example :

    Session.Clear()
    txtExample.Text = Session("ExampleKey")

    I'm not sure if both the Clear and Abandon methods both are not executed until the current request has completed, but that may be the case. However, if the access is accessed in a subsequent request, it should be empty.

    Tuesday, July 14, 2015 8:31 AM
  • User-517437916 posted
    No. We use session.clear and abandon only on the signout button. If the code did what it was supposed to then we should have null values on the next reqest even if we hijack the session.
    Tuesday, July 14, 2015 9:36 AM
  • User-693045842 posted

    Hi tolentino ,

    session.clear:Removes all keys and values from the session-state collection.

    session.abandon:removes all the objects stored in a Session .

    Have you solved your problem?I think if using session.clear and abandon ,it will clear the session,too strange ..

    lemo

    Monday, July 20, 2015 7:17 AM
  • User-1596463 posted

    Hi Em Tolentino,

    use following code on every page load on which login mandatory:

     HttpContext.Current.Response.Cache.SetAllowResponseInBrowserHistory(false);
     HttpContext.Current.Response.Cache.SetCacheability(HttpCacheability.NoCache);

    The above code clear any cache of data in the browser.

    For more follow the link http://www.niceonecode.com/Q-A/DotNet/CSharp/How-to-implement-Session-in-C-sharp/20098

    Monday, July 20, 2015 8:10 AM
  • User753101303 posted

    Hi,

    What do you see exactly ? Have you tried a test page showing the current date/time and perhaps one button to create a session variable and one button to clear them (and when you click one of those button it does the action and then show again all session variables). You should really see that it works.

    Or could it be that you are suign something like the browser back button etc? Ah and your session provider is ?

    Tuesday, July 21, 2015 2:07 PM
  • User-517437916 posted

    Hi all,

    Thanks for all your responses. The issue on the session was resolved but we still don't know the exact reason why this is happening. We redid the process of logging and verifying the users. The process was still similar to the old one but, just as strange, the session problem disappeared. I am still on the process of comparing the old code with the new one.

    I will post on the findings if we pinpoint the exact culprit causing the session to persist.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, July 21, 2015 9:03 PM