/// <summary> Invalidate the old session after copying all of its contents to a newly created session with a new session id.
/// Note that this is different from logging out and creating a new session identifier that does not contain the
/// existing session contents. Care should be taken to use this only when the existing session does not contain
/// hazardous contents.
///
/// </summary>
/// <returns> The invaldiated session.
/// </returns>
/// <seealso cref="Owasp.Esapi.Interfaces.IHttpUtilities.ChangeSessionIdentifier()">
/// </seealso>
public IHttpSession ChangeSessionIdentifier()
{
IHttpRequest request = ((Authenticator)Esapi.Authenticator()).CurrentRequest;
IHttpResponse response = ((Authenticator)Esapi.Authenticator()).CurrentResponse;
IHttpSession session = ((Authenticator)Esapi.Authenticator()).CurrentSession;
IDictionary temp = new Hashtable();
// make a copy of the session content
IEnumerator e = session.GetEnumerator();
while (e != null && e.MoveNext())
{
string name = (string)e.Current;
object val = session[name];
temp[name] = val;
}
// invalidate the old session and create a new one
// This hack comes from here: http://support.microsoft.com/?kbid=899918
session.Abandon();
response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));
// copy back the session content
IEnumerator i = new ArrayList(temp).GetEnumerator();
while (i.MoveNext())
{
DictionaryEntry entry = (DictionaryEntry)i.Current;
session.Add((string)entry.Key, entry.Value);
}
return(session);
}
