Re: Cookie not expiring...

[dharmeshmm () mastek com]

Hi All,

I think the case is only with Cookieless sessions.
"Session ID values used in cookieless sessions are recycled by default. That is, if a request is made with a session ID 
that has expired, a new session is started using the System.Web.SessionState.HttpSessionState.SessionID supplied with 
the request. This behavior can result in the unwanted sharing of session data when a link that contains a cookieless 
System.Web.SessionState.HttpSessionState.SessionID is shared with multiple browsers perhaps through a search engine or 
other means. You can reduce the possibility of session data being shared by multiple clients by disabling the recycling 
of session identifiers. To do this, set the regenerateExpiredSessionId attribute of the <sessionState> configuration 
element to true. This will result in a new session id being generated when a cookieless session request is made with an 
expired session id."

But the most important thing that was missed is
"If the request made with the expired session id is made using the HTTP POST method, then any posted data will be lost 
when regenerateExpiredSessionId is true, as ASP.NET performs a redirect to ensure that the browser has the new session 
identifier in the URL."

And in .NET, you call the System.Web.SessionState.HttpSessionStateProvider.Abandon method when a user logs out. This 
reduces the potential for an unwanted source using the unique identifier stored in the URL to retrieve private data 
stored in the session for a user.

Regards,

Dharmesh Mehta
Technology Cell,
Mastek Ltd.