Start Same sessionid after invalidating session

Same sessionid after invalidating session

When your program attempts to retrieve that session, it will fail.

If you are using get Session() and it does return a session it should be a new one - see the is New() method of Http Session.

you should be using get Session( false ) which would return null if the old session has indeed been invalidated.

Bill Bill, I agree that the old session is not getting retrieved. If yes, is there a way I can invalidate the cookie.

But my problem is that using a combination of Back and Refresh I am able to login to the application without having to enter the credentials again.

Consequently, Affinity IT Security will not be responsible for any loss or damages resulting directly or indirectly from any error, misunderstanding, software defect, example, or misuse of any content herein.

When you sign in to comment, IBM will provide your email, first name and last name to DISQUS.

Contact us to learn how to partner with us to protect your enterprise.

Although every effort has been made to provide the most useful and highest quality information, it is unfortunate but inevitable that some errors, omissions, and typographical mistakes will appear in these articles.

In this article, we examine vulnerabilities related to Session Management.

Since Hypertext Transfer Protocol (HTTP) is stateless, special provisions must be made outside of the protocol for the server to remember previous interactions with a user.

In web-applications, a “session” refers to a data-structure stored on the server that is associated with a specific user during a limited time-period.