/// <summary> Invalidate the old session after copying all of its contents to a newly created session with a new session id. /// Note that this is different from logging out and creating a new session identifier that does not contain the /// existing session contents. Care should be taken to use this only when the existing session does not contain /// hazardous contents. /// /// </summary> /// <returns> The invaldiated session. /// </returns> /// <seealso cref="Owasp.Esapi.Interfaces.IHttpUtilities.ChangeSessionIdentifier()"> /// </seealso> public IHttpSession ChangeSessionIdentifier() { IHttpRequest request = ((Authenticator)Esapi.Authenticator()).CurrentRequest; IHttpResponse response = ((Authenticator)Esapi.Authenticator()).CurrentResponse; IHttpSession session = ((Authenticator)Esapi.Authenticator()).CurrentSession; IDictionary temp = new Hashtable(); // make a copy of the session content IEnumerator e = session.GetEnumerator(); while (e != null && e.MoveNext()) { string name = (string)e.Current; object val = session[name]; temp[name] = val; } // invalidate the old session and create a new one // This hack comes from here: http://support.microsoft.com/?kbid=899918 session.Abandon(); response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", "")); // copy back the session content IEnumerator i = new ArrayList(temp).GetEnumerator(); while (i.MoveNext()) { DictionaryEntry entry = (DictionaryEntry)i.Current; session.Add((string)entry.Key, entry.Value); } return(session); }
/// <summary> Logout this user.</summary> /// <seealso cref="Owasp.Esapi.Interfaces.IUser.Logout()"> /// </seealso> public void Logout() { Authenticator authenticator = ((Authenticator)Esapi.Authenticator()); if (!authenticator.GetCurrentUser().Anonymous) { IHttpRequest request = authenticator.CurrentRequest; IHttpSession session = authenticator.Context.Session; if (session != null) { session.Abandon(); } // TODO - Kill the correct cookie Esapi.HttpUtilities().KillCookie("ASPSESSIONID"); loggedIn = false; logger.LogSuccess(ILogger_Fields.SECURITY, "Logout successful"); authenticator.SetCurrentUser(authenticator.anonymous); } }