IIS7 ASP.NET in-proc session NOT being lost after app recycle
I've got an ASP.NET MVC app ru开发者_StackOverflow社区nning under IIS7. It's using the default in-proc session management, which, according to all that I read, should lose the users' session after an app pool recycle. It doesn't seem to be losing it though. Even an IIS reset doesn't lose the session. Has something changed in IIS7 that keeps the session alive?
This is due to cookie replay - what happens is that your browser sends the cookie with old authentication ticket which is accepted as a new session as the Web server does not store valid and expired authentication tickets for later comparison. This makes your site vulnerable to a replay attack if a malicious user obtains a valid forms authentication cookie. To improve security when using a forms authentication cookie see MSDN link below:
http://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.signout.aspx
精彩评论