locked
ASP.NET_SessionId Cookie RRS feed

  • Question

  • User589052352 posted

    4 questions:

    1. When this cookie is created?

    2. Where to check for the existance of it? (global.asax file or in pageload event.)

    3. What kind of check? Should it be Request.Cookie or Response.Cookie?

    4. Since Session.SessionID and Request/Response .Cookie("Asp_net.sessionid")  are same thing, will the expiration of session will be differnt than expiration of Asp_net.sessionid cookie?

     

    Regards

    Tuesday, November 10, 2009 11:10 AM

Answers

  • User589052352 posted

    Hi RickNZ,

    I am little disagree about the statement that I have to explicitly save something in session to have session cookie created by asp.net

    What I tried is following:

    1. I created a new empty project. Added Global.asax file and put the breakpoint on End Sub as here:

       Sub Session_Start(ByVal sender As Object, ByVal e As EventArgs)
            ' Code that runs when a new session is started
                   
        End Sub
    

    I didnt get cookie but if I keep debugging it for atleast 3 times, then I will get a cookie. To clear that cookie, I have to close the project and start again and again I will get cookie (prob the 3rd or 4 time).  Dont know why it wasnt there the first time and later gets added to collection.

    2. For the following case, I will definitely get a cookie right way when I do the check on the if statement as below. For the following I dont need to run the debugger multiple times. I will get cookie as soon as I pass the "if" statement in the following code:

        Sub Session_Start(ByVal sender As Object, ByVal e As EventArgs)
            ' Code that runs when a new session is started
            
            If Session.SessionID <> "" Then
                
            End If
                    
        End Sub


    Regards

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, November 13, 2009 4:35 PM
  • User1566012831 posted

    This just came up in another thread too.

    It turns out that a session cookie is also set if you have a Session_Start() event handler.  I'm not sure about the third or fourth access part...

    However, if you don't have Session_Start(), then the cookie isn't set until you store something in the Session dictionary.  This approach is really how the system was intended to work.  The Session_Start() thing feels like a hack of some kind to me.


    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, November 13, 2009 7:42 PM
  • User589052352 posted

    However, if you don't have Session_Start(), then the cookie isn't set until you store something in the Session dictionary.  This approach is really how the system was intended to work.  The Session_Start() thing feels like a hack of some kind to me.

     

    I still dont see cookie being created if you just include the session_start() function only unless I do add something or check if the session got created before cookie is added to collection .

    Have you tried it?

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, November 13, 2009 11:13 PM

All replies

  • User-504499122 posted

    This cookie is automatically generated by asp.net. You do not have control over it. It is created the first time your application is accessed over the browser. You can enable Page tracing to see it or, you can get a tool similar to HTTPWatch to view it.


    If you are programmatically trying to access it, use the Request.Cookie. When you create a cookie from your code, you use Response.Cookies collection to send cookie as part of the Response stream

    Tuesday, November 10, 2009 11:19 AM
  • User589052352 posted

    But If I want to access that cookie when the user first requests the page (before the server sends the page to browser), then the Request.Cookie will always be empty. Dont you think ?

    Since this cookie is automatically created, it shld be in Response.Cookie collection but I also get that object with 0 count of cookies.

    How do I access it at that time?

    Tuesday, November 10, 2009 11:21 AM
  • User-504499122 posted

    The cookie will be generated the first time you access the application, unless the page has EnableSessionState set to false. You should get 1 as Response.Cookies.Count



    Tuesday, November 10, 2009 12:26 PM
  • User589052352 posted

    Let me ask you this, how can I assure if new sessionid is created or not before I check the Response.cookie collection because if sessionid wont be created then no cookie will be created as well. 

    Tuesday, November 10, 2009 12:38 PM
  • User-504499122 posted

    The only reason the cookie will not be created is, if your browser some how blocks the cookies. Try creating a sample cookie from your code and see if it gets created and also try reading it from a different page to see the existence of it.

    If you get a chance, try using the Fiddler tool to look at the HTTP headers and other information

    Tuesday, November 10, 2009 12:57 PM
  • User589052352 posted

    Well creating /adding cookie myself will definitely put a cookie in the collection but when I m saying abt the "asp.net_Sessionid" cookie,   I have seen sometimes I dont get the cookie and sometimes I do.

    So I was thinking that I will check if the sessionid is created or not and cookie will be created based on that.

    Fiddler will just tell me if what all inside the http object. It wont tell me the reasons.

    Tuesday, November 10, 2009 1:16 PM
  • User-504499122 posted

    Fiddler will just tell me if what all inside the http object. It wont tell me the reasons.

    I am repeating what I said again. Unless your browser blocks the cookies, asp.net session id cookie will be created. If you do not see it, the fault lies in the code you use or how you use.


    Yes, Fiddler like any tool gives you the information and how you use it is upto you.

    Tuesday, November 10, 2009 6:11 PM
  • User589052352 posted

    WELL I M ALSO TELLING YOU THAT MY BROWSER IS NOT BLOCKING COOKIES.

     

    Tuesday, November 10, 2009 6:35 PM
  • User-504499122 posted

    calm down saqib. Try a different approach if the original does not work and explain the problem clearly.. You arent going to get much help shouting

    Tuesday, November 10, 2009 7:08 PM
  • User589052352 posted

    I m not shouting.

    Tuesday, November 10, 2009 10:50 PM
  • User1566012831 posted

    4 questions:

    1. When this cookie is created?

    2. Where to check for the existance of it? (global.asax file or in pageload event.)

    3. What kind of check? Should it be Request.Cookie or Response.Cookie?

    4. Since Session.SessionID and Request/Response .Cookie("Asp_net.sessionid")  are same thing, will the expiration of session will be differnt than expiration of Asp_net.sessionid cookie?

    1. The first time a session-enabled page is accessed by a user without an active session, from a session-enabled application, and something is stored in the Session dictionary.  If you don't store anything in the dictionary, the cookie won't be set.

    2. Depends.  You can certainly see it in the Page_Load() event, although only for pages after the first time it's set.

    3. Normally, you would look in the Request object to see cookies that are being sent by the browser.

    4. I believe the default implementation does not set an explicit expiration date for the session ID cookie.  Instead, I think it's set as a session cookie.  The expiration date is stored behind the scenes somewhere (in the DB if you're using SQL mode).

    Tuesday, November 10, 2009 11:19 PM
  • User1566012831 posted

    Let me ask you this, how can I assure if new sessionid is created or not before I check the Response.cookie collection because if sessionid wont be created then no cookie will be created as well. 


    You can check the Session.IsNewSession flag to see if the current request has generated a new session ID.  The Session_Start() event handler in Global.asax should also be called.

    A new session cookie won't be stored in the Response object until after your page runs.  That's done by the Session HttpModule at a later stage of the life cycle.  If you need to intercept that cookie for some reason, you would need to do so from an HttpModule of your own.


    Tuesday, November 10, 2009 11:24 PM
  • User-748361252 posted

    RickNZ wrote "1. The first time a session-enabled page is accessed by a user without an active session, from a session-enabled application, and something is stored in the Session dictionary. If you don't store anything in the dictionary, the cookie won't be set."


    The Cookie will set when user will access the application for first time, it does not matter whether you set any thing in session dictionary or not.

    Your all other details are correct.

    Tuesday, November 10, 2009 11:42 PM
  • User1566012831 posted

    I was just having a discussion along these lines with SGWellens in another thread, where I posted example code and the corresponding HTTP headers to demonstrate my point:

    http://forums.asp.net/t/1486531.aspx

    The code enables sessions, but a session ID cookie is not set.  Try it yourself.

    If you have a counter-example, please share.  However, please be aware that some HttpModules store things in the Session dictionary behind the scenes.  That will have the same effect as storing something from the page, and *will* cause the session cookie to be set.


    Tuesday, November 10, 2009 11:52 PM
  • User589052352 posted

    You can check the Session.IsNewSession flag to see if the current request has generated a new session ID.  The Session_Start() event handler in Global.asax should also be called.

     

    1. So the Session.IsNewSession shld be True the first time and would be false the rest of the time. M i right?

    2. What to do if Session.IsNewSession (somehow) return false the first time as well?

     

    Tuesday, November 10, 2009 11:56 PM
  • User-748361252 posted


    I am sorry for creating confusion. you are right sir.:)

    Wednesday, November 11, 2009 12:15 AM
  • User589052352 posted

    However, please be aware that some HttpModules store things in the Session dictionary behind the scenes.  That will have the same effect as storing something from the page, and *will* cause the session cookie to be set.

     

    Wow, What httpmodules are those? When that happens and why it does not happen everytime so that I dont have to store session explicitly in dic?

     

    Wednesday, November 11, 2009 12:16 AM
  • User1566012831 posted

    1. So the Session.IsNewSession shld be True the first time and would be false the rest of the time. M i right?

    2. What to do if Session.IsNewSession (somehow) return false the first time as well?

    1. Session.IsNewSession should be true whenever the session HttpModule had to create a new session ID.  That happens only when it didn't detect an existing one in a cookie.

    2. Debug your code?  Debug other code that your code interacts with (HttpModules, in particular)?  Report the bug to Microsoft?

    Keep in mind, though, that Session.IsNewSession won't tell you if a session cookie will be set.  It also won't tell you if a session cookie will be accepted by a browser.  For example, if a browser is running in High security mode, it won't accept any cookies unless you also have a P3P header set (I talk about this in my book).

    Wednesday, November 11, 2009 12:17 AM
  • User1566012831 posted

    Wow, What httpmodules are those? When that happens and why it does not happen everytime so that I dont have to store session explicitly in dic?

    None of the standard in-the-box ones that I'm aware of -- the usual offenders are third-party code, or code from your own project.

    You can write your own HttpModule to store something in the session dictionary (and thereby force the session cookie to be set) every time it encounters a new session, if you want.  It would only be a few lines of code.  Alternatively, you could do the same thing from a Page base class or a Page Adapter.


    Wednesday, November 11, 2009 12:24 AM
  • User589052352 posted

    Hi RickNZ,

    I am little disagree about the statement that I have to explicitly save something in session to have session cookie created by asp.net

    What I tried is following:

    1. I created a new empty project. Added Global.asax file and put the breakpoint on End Sub as here:

       Sub Session_Start(ByVal sender As Object, ByVal e As EventArgs)
            ' Code that runs when a new session is started
                   
        End Sub
    

    I didnt get cookie but if I keep debugging it for atleast 3 times, then I will get a cookie. To clear that cookie, I have to close the project and start again and again I will get cookie (prob the 3rd or 4 time).  Dont know why it wasnt there the first time and later gets added to collection.

    2. For the following case, I will definitely get a cookie right way when I do the check on the if statement as below. For the following I dont need to run the debugger multiple times. I will get cookie as soon as I pass the "if" statement in the following code:

        Sub Session_Start(ByVal sender As Object, ByVal e As EventArgs)
            ' Code that runs when a new session is started
            
            If Session.SessionID <> "" Then
                
            End If
                    
        End Sub


    Regards

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, November 13, 2009 4:35 PM
  • User1566012831 posted

    This just came up in another thread too.

    It turns out that a session cookie is also set if you have a Session_Start() event handler.  I'm not sure about the third or fourth access part...

    However, if you don't have Session_Start(), then the cookie isn't set until you store something in the Session dictionary.  This approach is really how the system was intended to work.  The Session_Start() thing feels like a hack of some kind to me.


    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, November 13, 2009 7:42 PM
  • User589052352 posted

    However, if you don't have Session_Start(), then the cookie isn't set until you store something in the Session dictionary.  This approach is really how the system was intended to work.  The Session_Start() thing feels like a hack of some kind to me.

     

    I still dont see cookie being created if you just include the session_start() function only unless I do add something or check if the session got created before cookie is added to collection .

    Have you tried it?

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, November 13, 2009 11:13 PM
  • User1566012831 posted

    No, I haven't tried it myself -- I was just reporting what someone observed in another thread.

    I tend to avoid Session_Start(), and instead put that type logic in an HttpModule or maybe a page base class, and check Session.IsNewSession.

    In fact, I try to avoid session state as much as I can; too many odd corner cases, performance hiccups, etc, etc. for my taste.  There are often much better ways to do things.



    Saturday, November 14, 2009 12:10 AM