I am new to asp.net and I don't understand why not to reuse the "ASP.NET_SessionId"?
From my understanding, every time a user requests a page from the server, the IIS creates for him an "ASP.NET_SessionId" and puts it in a cookie in the user browser.
I read about it here: https://support.microsoft.com/en-us/kb/899918 And couldn't figure out why I should delete this cookie for a user after he logout.
It says:
Sometimes, you may not want to reuse the session ID. If you do and if you understand the ramifications of not reusing the session ID, use the following code example to abandon a session and to clear the session ID cookie:
Session.Abandon();
Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));
Could you explain me what are the advantages of deleting this cookie and the disadvantages of reusing it?
If you don't delete it and you are using http then it's a security risk
e.g.
- Go to www.dodgyhacker.com, they have an invisible iframe which contains the login page for www.yoursite.com. They can see the cookie and send it to a remote server
- Now navigate to www.yoursite.com, the cookie isn't changed and you log on
- The dodgy hacker can now use your session cookie and get full access to the system
In reality there are others ways of protecting against this and I'm not a hacker so this may be slightly wrong but those are the essential steps
来源:https://stackoverflow.com/questions/37642982/why-not-to-reuse-asp-net-sessionid