This repository has been archived by the owner on Nov 22, 2018. It is now read-only.
For what design reason is Asp.Net Core SessionKey different than the SessionId? #151
Labels
Milestone
The
DistributedSession
class uses asessionKey
Guid
as the primary key for the sqlserver table that ultimately gets used to store sessions. ThisGuid
is generated by the SessionMiddleware class and passed in to theDistributedSession
. ThisSessionKey
Guid
is a different value than theSessionId
. TheSessionId
Guid is generated by theDistributedSession
class.Why?
What I want to know is why is the system designed this way? Why isn't the
SessionId
andSessionKey
the one and the same? Why use two differentGuids
? I ask because I'm creating my own implementation ofISession
and I'm tempted to use theSessionKey
as theSessionId
in my implementation so that it's easier to match up a record in the database to a session. Would that be a bad idea? Why wan'tDistributedSession
object designed that way rather than generating aSessionId
that is different than theSessionKey
? The only reason I can think of is perhaps trying increase security by obfuscating the linkage between the database record and the session it belongs to. But in general security professions don't find security through obfuscation effective. So I'm left wondering why such a design was implemented?I have posted the stackoverflow question here: http://stackoverflow.com/questions/42590026/for-what-design-reason-is-asp-net-core-sessionkey-different-than-the-sessionid if you would like to answer it there.
The text was updated successfully, but these errors were encountered: