退出登录的时候，重置session id

如果不重置的话，换其他账号再登录的话，还会使用同一个session id

Try this when you abandon session/Logout:

Session.Abandon(); Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));

By clearing out that cookie, a new session with a new session ID will be created after second login.

 

 

HttpResponse.Cookies and HttpRequest.Cookies

ASP.NET includes two intrinsic cookie collections. The collection accessed through the collection of contains cookies transmitted by the client to the server in the Cookie header. The collection accessed through the collection of contains new cookies created on the server and transmitted to the client in the Set-Cookie header.

After you add a cookie by using the collection, the cookie is immediately available in the collection, even if the response has not been sent to the client.

 

答案一

Sessions

are stored per-user in memory(or an alternative ) on the server. Sessions use a cookie(session key) to tie the user to the session. This means no "sensitive" data is stored in the cookie on the users machine.

are generally used to maintain state when you navigate through a website. However, they can also be used to hold commonly accessed objects. Only if the Session-state is set to InProc, if set to another the object must also serializable.

Session["userName"] = "EvilBoy"; if(Session["userName"] != null) lblUserName.Text = Session["userName"].ToString();

Cookies

are stored per-user on the users machine. A cookie is usually just a bit of information. Cookies are usually used for simple user settings colours preferences ect. No sensitive information should ever be stored in a cookie.

You can never fully trust that a cookie has not been tampered with by a user or outside source however if security is a big concern and you must use cookies then you can either encrypt your cookies or set them to only be transmitted over SSL. A user can clear his cookies at any time or not allow cookies altogether so you cannot count on them being there just because a user has visited your site in the past.

//add a username CookieResponse.Cookies["userName"].Value = "EvilBoy"; Response.Cookies["userName"].Expires = DateTime.Now.AddDays(10); //Can Limit a cookie to a certain Domain Response.Cookies["domain"].Domain = "Stackoverflow.com"; //request a username cookie if(Request.Cookies["userName"] != null) lblUserName.Text = Server.HtmlEncode(Request.Cookies["userName"].Value);

sidenote

It is worth mentioning that ASP.NET also supports state-management

 

答案二

Cookie is a client side storage of your variables. It stored on client machine by browser physically. It's scope is machine wide. Different users at same machine can read same cookie.

Because of this :

1. You should not store sensitive data on cookie.
2. You should not store data that belongs to one user account.
3. Cookie has no effect on server resources.
4. Cookie expires at specified date by you.

Session is a server side storage of your variables. Default, it stored on server's memory. But you can configure it to store at SqlServer. It's scope is browser wide. Same user can run two or more browsers and each browser has it's own session.

Because of this :

1. You can save sensitive data in session.
2. You should not save everything in session. it's waste of server resources.
3. After user closes browser, session timeout clears all information. (default is 20 minutes)

 

 

State management is a critical thing to master when coming to Web world from a desktop application perspective.

• Session is used to store per-user information for the current Web session on the server. It supports using a database server as the back-end store.
• Cookie should be used to store per-user information for the current Web session or persistent information on the client, therefore client has control over the contents of a cookie.
• Cache object is shared between users in a single application. Its primary purpose is to cache data from a data store and should not be used as a primary storage. It supports automatic invalidation features.
• Application object is shared between users to store application-wide state and should be used accordingly.

If your application is used by a number of unauthenticated users, I suggest you store the data in a cookie. If it requires authentication, you can either store the data in the DB manually or use ASP.NET profile management features.

 

Exploring Session in ASP.NET