What is the difference between Session.Abandon() and Session.Clear() in ASP.Net?
Session.Abandon() will end the current session.
Session_End will be fired and the next request will fire the
Session.Clear will just clear the session data and the the session will remain alive.
Session ID will remain the same in both cases, as long as the browser is not closed.
In a nutshell:
Session.Abandon(); cancels the current
Session.Clear(); clears all values from
will destroy/kill the entire session.
removes/clears the session data (i.e. the keys and values from the current session) but the session will be alive.
Compare to Session.Abandon() method, Session.Clear() doesn't create the new session, it just make all variables in the session to NULL.
Session ID will remain same in both the cases, as long as the browser is not closed.
Some things to note here from my experience:
Session.Abandon() does not invalidate the current session. Old requests execute fine if you replay them.
But, after you call it, setting the contents of the abandoned session dictionary have no permanent effect. The next request gets a fresh new session dictionary (even if you use the same session ID by replaying a previous request) and none of your previous changes to it (after having called the method) are there.
So, it seems that
Session.Abandon() totally stops the persistence of the entire session, while
Session.Clear() only removes its data.
And, also, if you need to secure your application from replay attacks, you should add some logic that validates sessions and not depend on any of these built-in methods. Those seem to be meant for only managing the persistence of the session data, not for securing your application.