Your session ID is being reused and there is nothing you can do about it

In many years we have been used to the fact that the ASP.Net session ID uniquely identifies one session, and one session only. Back in 2006, Margaret Rouse from TechTarget even wrote in the definition of a session ID that:

Every time an Internet user visits a specific Web site, a new session ID is assigned. Closing a browser and then reopening and visiting the site again generates a new session ID. However, the same session ID is sometimes maintained as long as the browser is open, even if the user leaves the site in question and returns. In some cases, Web servers terminate a session and assign a new session ID after a few minutes of inactivity.

Margaret Rouse, TechTarget

But a new feature in modern browsers changes this paradigm. If you in the Google Chrome browser selects the “Continue where you left off” feature:

Google Chrome Setting

Google Chrome Setting

… the browser will remember the session ID forever, even when a new session is started.

EXAMPLE:

I have enabled the “Continue where you left off” feature in my Google Chrome.
This is my current session ID.

Current Session ID

Current Session ID

For the sake of this test, my session will expire in 1 minute. I am using a SQL server as my session provider, so I can find my session:

Session in SQL

Session in SQL

My ASP.Net Global.asax Session_Start() event is fired when my session is created:

protected void Session_Start(object sender, EventArgs e)
{
  // do stuff
}

I now close my browser, and wait 1 minute. After 1 minute of inactivity, my session expires, and the session is removed from the Session state provider:

Session Provider is empty

Session Provider is empty

When reopen my browser, I would have expected my session ID to be recreated. But no, a new session with the same session ID is created:

New session created with same ID

New session created with same ID

ASP.Net will fire the Global.asax Session_Start() event as expected, since a new session have been created.

WHY IS THIS IMPORTANT TO KNOW?

This behavior means that you cannot use the session ID to identify one user session. Any data collection cannot rely on the session ID as the unique identifier. Collecting anonymous user statistics based on session ID will become skewed because you will have multiple session_start events for one session ID.

As an edge case, we risk that the session ID will no longer be considered as anonymous. The GDPR rules clearly states that any user-identifiable data cannot be collected without the consent of the user. When the session ID does not change, one could argue that the session ID is user identifiable just as the IP address or the user name, because it will live on the user machine forever.

WHAT CAN YOU DO ABOUT IT?

It is possible to generate a new session ID, but it requires to do some postbacks, so this solution is only feasible as a method to generate a new session ID when you log in, or when a user have finished a shopping transaction.

This StackOverflow thread discusses the possibilities of creating a new session ID.

If you plan on using the session ID as a data collection key, don’t. Instead, create your own key, and use that. For ASP.Net solutions that have a Global.asax file, you can create a new “session key” every time a new session starts:

protected void Session_Start(object sender, EventArgs e)
{
  HttpContext.Current.Session.Add("s_id", Guid.NewGuid().ToString());
}

In your data collection methods, replace SessionID with the custom property:

public static void Collect(HttpContext context, string behavior)
{
  if (context != null && context.Session != null)
  {
    // Don't do this
    context.Session.SessionID;
    // Use this instead
    context.Session["s_id"].ToString()
  }
}

MORE TO READ:

 

About briancaos

Developer at Pentia A/S since 2003. Have developed Web Applications using Sitecore Since Sitecore 4.1.
This entry was posted in .net, General .NET and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.