0

I've seen this a few times in our logs and users have also reported it to us but have never really gotten to the bottom of the problem.

From time to time, a page will render from output caching with links that have a strange path value in. Say (X(3)S(5l53uwuaffkddojv4iwb3snm)). Presumably this occurs because the first render of the page has these links, and they are therefore cached with them.

This means that all urls on that page look similar to this.

http://www.example.com/(X(3)S(5l53uwuaffkddojv4iwb3snm))/foo/bar/index.htm

This looks identical to this question and the MSDN article "Understand How the ASP.NET Cookieless Feature Works", except that we use sessions or session cookies for our public site, but for 99% of our site, we don't actually use sessions. The remaining 1% uses session cookies for the user experience, so I don't see how this causes a problem with the rest of our site.

This part of the above article seems to reference the issue:

// Step 2: Check if we have already detected that Cookies are not 
//         supported. This is detected by looking for the string
//        "/(X(1))/" in the URL
If (URL-contains-"/(X(1))/")
   Report_cookies_are_NOT_supported_and_exit;

Currently the sessionstate looks like this:

<sessionState mode="SQLServer" sqlConnectionString="data source=myDatabase;user id=dbUsername;password=dbPassword" cookieless="false" timeout="10080" />

Anyone have any ideas on how I can resolve this issue? Is there a way we can prevent urls like this from displaying?

Community
  • 1
  • 1
Dan Atkinson
  • 11,391
  • 14
  • 81
  • 114

1 Answers1

1

Make sure you have forced the usage of cookies:

<sessionState cookieless="UseCookies" />

and for the forms authentication cookie as well:

<forms loginUrl="~/Account/LogOn" timeout="2880" cookieless="UseCookies" />

If you don't do that and have a client browser which has cookies disabled you will get the aforementioned token in the url.

Darin Dimitrov
  • 1,023,142
  • 271
  • 3,287
  • 2,928
  • Thanks for your reply. I have updated the answer with the session state. We don't use forms authentication so I don't think this is an issue. – Dan Atkinson Nov 16 '12 at 10:21
  • 1
    There are issues with `cookieless="false"`. Check this out: http://stackoverflow.com/questions/10998714/asp-net-cookieless-session-url-issue-only-in-mobile-safari. Also check this out: http://www.hanselman.com/blog/FormsAuthenticationOnASPNETSitesWithTheGoogleChromeBrowserOnIOS.aspx – Darin Dimitrov Nov 16 '12 at 10:24
  • Can you confirm that your suggested answer for this is this one (and changing to UseCookies)? http://stackoverflow.com/a/4816391/31532 – Dan Atkinson Nov 16 '12 at 10:29