/// <summary> Invalidate the old session after copying all of its contents to a newly created session with a new session id. /// Note that this is different from logging out and creating a new session identifier that does not contain the /// existing session contents. Care should be taken to use this only when the existing session does not contain /// hazardous contents. /// /// </summary> /// <returns> The invaldiated session. /// </returns> /// <seealso cref="Owasp.Esapi.Interfaces.IHttpUtilities.ChangeSessionIdentifier()"> /// </seealso> public IHttpSession ChangeSessionIdentifier() { IHttpRequest request = ((Authenticator)Esapi.Authenticator()).CurrentRequest; IHttpResponse response = ((Authenticator)Esapi.Authenticator()).CurrentResponse; IHttpSession session = ((Authenticator)Esapi.Authenticator()).CurrentSession; IDictionary temp = new Hashtable(); // make a copy of the session content IEnumerator e = session.GetEnumerator(); while (e != null && e.MoveNext()) { string name = (string)e.Current; object val = session[name]; temp[name] = val; } // invalidate the old session and create a new one // This hack comes from here: http://support.microsoft.com/?kbid=899918 session.Abandon(); response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", "")); // copy back the session content IEnumerator i = new ArrayList(temp).GetEnumerator(); while (i.MoveNext()) { DictionaryEntry entry = (DictionaryEntry)i.Current; session.Add((string)entry.Key, entry.Value); } return(session); }