Based on what i have understood we have
sessionId is stored in the cookie .AspNetCore.SessionDeleting the cookies and Clearing the session does nothing.
context.HttpContext.Session.Clear();
foreach (var cookie in context.HttpContext.Request.Cookies.Keys)
{
context.HttpContext.Response.Cookies.Delete(cookie);
}
所以问题是我们可以以sessionId某种方式改变,或者有没有办法保护我们免受会话修复?