ASP.NET Core: Session Id Always Changes

Question

Today started a brand new ASP.NET Core site. Followed the instructions to add sessions. We print out the Session ID on the index page, and it is always unique.

I figure it may be cookie compliance, so I nuked all cookies, both in Chrome's advanced settings and debugger. But the banner won't reappear for me to accept.

I also tried simply disabling CheckConsentNeeded, but that also had no impact.

Pretty much a duplicate from the default project plus MSDN, except for the tweaks described above:

    // This method gets called by the runtime. Use this method to add services to the container.
    public void ConfigureServices(IServiceCollection services)
    {
        services.AddDistributedMemoryCache();

        services.AddSession(options =>
        {
            // Set a short timeout for easy testing.
            options.IdleTimeout = TimeSpan.FromSeconds(10);
            options.Cookie.HttpOnly = true;
            //options.Cookie.SecurePolicy = CookieSecurePolicy.Always; //require https
            // Make the session cookie essential
            options.Cookie.IsEssential = true;
        });

        services.Configure<CookiePolicyOptions>(options =>
        {
            // This lambda determines whether user consent for non-essential cookies is needed for a given request.
            options.CheckConsentNeeded = context => false; //true;
            options.MinimumSameSitePolicy = SameSiteMode.None;
        });


        services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
    }

    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
    public void Configure(IApplicationBuilder app, IHostingEnvironment env)
    {
        if (env.IsDevelopment())
        {
            app.UseDeveloperExceptionPage();
        }
        else
        {
            app.UseExceptionHandler("/Home/Error");
            app.UseHsts();
        }

        app.UseHttpsRedirection();
        app.UseStaticFiles();
        app.UseCookiePolicy();
        app.UseSession();

        app.UseMvc(routes =>
        {
            routes.MapRoute(
                name: "default",
                template: "{controller=Home}/{action=Index}/{id?}");
        });
    }

Answer 1

Wiktor Zychla was correct in the first comment: you must assign any data for the ID to stick.

I simply assigned any data to the session in my controller:

        public IActionResult Index()
        {
            HttpContext.Session.Set("What", new byte[] { 1, 2, 3, 4, 5 });
        }

After that, HttpContext.Session.Id did not change, as one would expect.

As my first foray into ASP.NET Core from ASP.NET Framework, I didn't expect that, and I am sure I won't be the last!

Answer 2

Zoop's answer inspired me, but as my comment suggests, it becomes messy should your application have a lot of actions. Based on their answer, I came up with this:

Create a base controller for your application if you don't have one already. Derive all of your existing controllers from that controller. Override the base method that behaves like the old Page_Load from ASP.NET. OnActionExecuting gets invoked before any action code does.

public class MyApplicationController : Controller
{
    public override void OnActionExecuting(ActionExecutingContext filterContext)
    {
        base.OnActionExecuting(filterContext);
        HttpContext.Session.Set("What", new byte[] { 1, 2, 3, 4, 5 });
    }
}

EDIT: This is an imperfect solution as well. I have abandoned trying to use Session at all in my MVC project. This will work in cases where you don't do anything but GET and POST . (eg, $ajax will mess this up.)