Re: Cookie not expiring...

Hi All,

I think the case is only with Cookieless sessions.
"Session ID values used in cookieless sessions are recycled by default. That 
is, if a request is made with a session ID that has expired, a new session is 
started using the System.Web.SessionState.HttpSessionState.SessionID supplied 
with the request. This behavior can result in the unwanted sharing of session 
data when a link that contains a cookieless 
System.Web.SessionState.HttpSessionState.SessionID is shared with multiple 
browsers perhaps through a search engine or other means. You can reduce the 
possibility of session data being shared by multiple clients by disabling the 
recycling of session identifiers. To do this, set the 
regenerateExpiredSessionId attribute of the <sessionState> configuration 
element to true. This will result in a new session id being generated when a 
cookieless session request is made with an expired session id."

But the most important thing that was missed is
"If the request made with the expired session id is made using the HTTP POST 
method, then any posted data will be lost when regenerateExpiredSessionId is 
true, as ASP.NET performs a redirect to ensure that the browser has the new 
session identifier in the URL."

And in .NET, you call the 
System.Web.SessionState.HttpSessionStateProvider.Abandon method when a user 
logs out. This reduces the potential for an unwanted source using the unique 
identifier stored in the URL to retrieve private data stored in the session for 
a user.

Regards,

Dharmesh Mehta
Technology Cell,
Mastek Ltd.