Difference with regenerateExpiredSessionId="false" and regenerateExpiredSessionId="true" .net

nLL picture nLL · Sep 21, 2009 · Viewed 19.8k times · Source

My understanding from

http://msdn.microsoft.com/en-us/library/system.web.configuration.sessionstatesection.regenerateexpiredsessionid.aspx

meaning of regenerateExpiredSessionId="false" was that if a session id expired it will NOT be re used if client requests an url with same id.

And mening of regenerateExpiredSessionId="true" was that if a session id expired it will be re-used (recycled) if client request an url with same id.

But when i read post at

regenerateExpiredSessionId not working as expected

it seems that i misunderstood what regenerateExpiredSessionId="true" means.

Can some one explain which is right?

Answer

Ashish picture Ashish · Oct 7, 2011

By default, the session ID values that are used in cookieless sessions are recycled. That is, if a request is made with a session ID that has expired, a new session is started by using the SessionID value that is supplied with the request. This can result in a session unintentionally being shared when a link that contains a cookieless SessionID value is used by multiple browsers. (This can occur if the link is passed through a search engine, through an e-mail message, or through another program.) You can reduce the chance of session data being shared by configuring the application not to recycle session identifiers. To do this, set the regenerateExpiredSessionId attribute of the sessionState configuration element to true. This generates a new session ID when a cookieless session request is made with an expired session ID.

Ref: http://msdn.microsoft.com/en-us/library/ms178581.aspx