How to Kill A Session or Session ID (ASP.NET/C#)

Asked 16/3, 2011 at 18:51 Answered 12/10, 2016 at 8:32

How can I destroy a session (Session["Name"]) when the user clicks the logout button?

I'm looking through the ASP.NET API Reference on MSDN and it doesn't seem to have much information. It seems rather limited. But I cannot find any other pages for ASP.NET Classes etc.

I have tried:

Session.Abandon(); and Session.Contents.Remove("Name"); neither of them work. ( I found these in a forum from a Google search)

Ca answered 16/3, 2011 at 18:51 Comment(6)

What do you mean by "neither of them work" – Benedictine 16/3, 2011 at 18:55

Um... When I output the contents of the session["Name"] it still outputs the name, but it shouldn't because it should've been cleared or killed. And it doesn't Sign me out. So, that's what I mean by "Neither of them work" – Ca 16/3, 2011 at 19:6

Try adding a redirect back to the login page, check for the Session["Name"] in there. – Benedictine 16/3, 2011 at 19:10

May be this link might help you. – Knossos 17/3, 2011 at 5:37

The Abaondon Method works all you need to do is take of the postbackurl from the html script and add a redirect after Session.Abandon(). – Alary 11/2, 2012 at 13:1

Use Session["YourItem"] = ""; – Rozanne 1/2, 2015 at 9:18

The Abandon method should work (MSDN):

Session.Abandon();

If you want to remove a specific item from the session use (MSDN):

Session.Remove("YourItem");

EDIT: If you just want to clear a value you can do:

Session["YourItem"] = null;

If you want to clear all keys do:

Session.Clear();

If none of these are working for you then something fishy is going on. I would check to see where you are assigning the value and verify that it is not getting reassigned after you clear the value.

Simple check do:

Session["YourKey"] = "Test";  // creates the key
Session.Remove("YourKey");    // removes the key
bool gone = (Session["YourKey"] == null);   // tests that the remove worked

Bonedry answered 16/3, 2011 at 18:53 Comment(6)

Thanks, @Kelsey; I just updated my question to show what I've already tried. The Abaondon Method doesn't work :S – Ca 16/3, 2011 at 18:54

@Lucifer are you trying to kill the Session from the current session or are you trying to do it from the application level and locate and kill a specific session? – Bonedry 16/3, 2011 at 18:56

Um, from the current session,? – Ca 16/3, 2011 at 19:0

@Lucifer something else is going on I suspect. I have editted my answer to include a little check and some other options. – Bonedry 16/3, 2011 at 19:8

Thanks @Kelsey, I'm not seeing any results from that check. – Ca 16/3, 2011 at 19:13

@Lucifer What result were you expecting? The value will be null after the Remove. Did you want something more to happen? – Bonedry 16/3, 2011 at 19:42

It is also a good idea to instruct the client browser to clear session id cookie value.

Session.Clear();
Session.Abandon();
Response.Cookies["ASP.NET_SessionId"].Value = string.Empty;
Response.Cookies["ASP.NET_SessionId"].Expires = DateTime.Now.AddMonths(-10);

Loosestrife answered 12/10, 2016 at 8:32 Comment(1)

is this really necessary ? Response.Cookies["ASP.NET_SessionId"].Value = string.empty ? or just with Session.Abandon() is enough ? – Danonorwegian 3/10, 2019 at 19:44

Session.Abandon()

This marks the session as Abandoned, but the session won't actually be Abandoned at that moment, the request has to complete first.

Benedictine answered 16/3, 2011 at 18:53 Comment(0)

From what I tested:

Session.Abandon(); // Does nothing
Session.Clear();   // Removes the data contained in the session

Example:
001: Session["test"] = "test";
002: Session.Abandon();
003: Print(Session["test"]); // Outputs: "test"

Session.Abandon does only set a boolean flag in the session-object to true. The calling web-server may react to that or not, but there is NO immediate action caused by ASP. (I checked that myself with the .net-Reflector)

In fact, you can continue working with the old session, by hitting the browser's back button once, and continue browsing across the website normally.

So, to conclude this: Use Session.Clear() and save frustration.

Remark: I've tested this behaviour on the ASP.net development server. The actual IIS may behave differently.

Alguire answered 3/4, 2013 at 13:59 Comment(0)

Session.Abandon() this will destroy the data.

Note, this won't necessarily truly remove the session token from a user, and that same session token at a later point might get picked up and created as a new session with the same id because it's deemed to be fair game to be used.

Som answered 16/3, 2011 at 18:53 Comment(1)

Thanks @Chris, I've tried that, and it still outputs the contents of the session["Name"] and won't signout. – Ca 16/3, 2011 at 19:1

You kill a session like this:

Session.Abandon()

If, however, you just want to empty the session, use:

Session.Clear()

Chalkboard answered 16/3, 2011 at 18:54 Comment(2)

If you're just trying to remove the 'Name', you can do Session.Remove("Name"); or clear it using Session["Name"] = null; – Chalkboard 16/3, 2011 at 19:0

None of these are working. I've tried Session.Abandon(); Session.Contents.Remove("Name"); Session.Contents.RemoveAll(); Session.Clear(); Session["Name"] = null (which is originally what I did) - and none of them work. – Ca 16/3, 2011 at 19:3

Session.Abandon()

is what you should use. the thing is behind the scenes asp.net will destroy the session but immediately give the user a brand new session on the next page request. So if you're checking to see if the session is gone right after calling abandon it will look like it didn't work.

Nicol answered 16/3, 2011 at 19:2 Comment(3)

Check the Remarks section on the MSDN doc for Session.Abandon -> msdn.microsoft.com/en-us/library/ms524310.aspx – Nicol 16/3, 2011 at 19:5

Thank you @AlanB - Then, how can I Sign out of my 'account' immediately after clicking the SignOut button?, if the session won't get deleted? – Ca 16/3, 2011 at 19:9

I guess it depends a bit on the code you're doing but the basic operation would be if you have "Logout" button on a page that in the code does a session.abandon() call then redirects to your homepage. the loading of the homepage should have a new session and thus not be "logged in" anymore. they will have a new session but all data associated with the old session is gone. – Nicol 16/3, 2011 at 19:13

Session["YourItem"] = "";

Works great in .net razor web pages.

Rozanne answered 1/2, 2015 at 9:23 Comment(1)

While this code sample may possibly answer the question, it would be preferable to include some essential explanation to your answer. As it stands now this answer adds little to no value for future readers. – Kerge 1/2, 2015 at 9:40

Session.Abandon(); did not work for me either.

The way I had to write it to get it to work was like this. Might work for you too.

HttpContext.Current.Session.Abandon();

Refit answered 23/2, 2016 at 23:35 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags