6

In config file I have the below settings

sessionState mode="InProc" cookieless="false"

Does this indicates that the sessionid is stroed in cookies? If yes then how is it picked and sent to the server and how is it verified across postbacks.

What will happen if cookies are disabled in my browser, will the session(sessionid and session variables) still be created?

Where(default path) are the cookies created and stored by default for sessions and can i change the path?

What format and kind of data is stored in cookies for session?

If i store a class object in session then what is actually stored in cookies?

Also if i use authentication mode as forms with cookies then what will happen if cookies are disabled in browser?

Brian MacKay
  • 31,133
  • 17
  • 86
  • 125
Panache
  • 289
  • 2
  • 4
  • 11
  • I know that if I set cookieless to true then the sessionid is appended to the url, but i just want to know if the cookiesless value is set to false and the client has disabled the cookies on his machine will the application behave properly or will break away. I personally feel that the application wont work as answered by Josh Stodola. – Panache Sep 09 '09 at 19:40
  • Take a look at the note on the bottom of my post. In a sentence, the app will break if you completely disable cookies and still expect session to be there, and don't enable cookieless sessions. For instance, I actually ran a test and on one of my apps I just kept getting the login screen. – Brian MacKay Sep 09 '09 at 22:22
  • 1
    I have created a sample application with session attribute cookieless set to false and disabled the cookies in browser and tested the application it just works fine. where is the session values stored? – Panache Sep 19 '09 at 18:52
  • Check [this](http://stackoverflow.com/questions/6353703/session-cookie-some-misunderstandings) – Jibin Jun 21 '11 at 05:35
  • http://stackoverflow.com/questions/12572134/php-sessions-with-disabled-cookies-does-it-work this thread will answer your query. – Varshaan Jul 10 '15 at 03:52

8 Answers8

19

The session cookie is a special non-persistant cookie. It's only stored in memory, so in most cases even when cookies are disabled it still works fine.

It's also possible to enable something called cookieless sesssions where the sessionID is embedded in the URL, like this:

http://yourserver/folder/ (encrypted session ID here) /default.aspx

Here's a link to an MSDN article with more details: http://msdn.microsoft.com/en-us/library/aa479314.aspx

NOTE: It is possible to completely block the session cookie. For instance, in IE8, I just went into Tools > Internet Options > Privacy. When I cranked the slider up to 'High' or greater, my sites never got past the login screen because the session cookie was blocked - in fact, Josh Stodola said below that in this case the session would never even be created on the server.

However, understand that this type of behavior effectively breaks the Internet. So unless you're building a site targeted at conspiracy theorists, in my opinion (and the opinion of most of the largest sites in the world) there's no need to cater to the tiny percentage of users who don't play by the normal rules.

For them, the Internet just isn't going to work the way it's supposed to.

Brian MacKay
  • 31,133
  • 17
  • 86
  • 125
  • In IE6 through IE8, you can also disable session cookies if you go to Privacy > Advanced and check "Override automatic cookie handling", select "Block" under first-party cookies, and leave "Always allow session-cookies" unchecked. But still, if you do this there will be a lot of sites that won't work properly. – Steve Wortham Sep 09 '09 at 19:16
  • +1 for Dino's article- I was going to add it as an answer but you already have – RichardOD Sep 09 '09 at 19:25
  • Are you saying session cookie , is stored in client browser not in memory (server) ? Your first sentence is confusing ? – Shaiju T May 18 '18 at 07:06
  • 1
    @stom The session cookie is stored in memory on the client. I am not sure exactly how servers tend to handle it. – Brian MacKay May 18 '18 at 17:05
0

It stores directly in the browser

Ravi Teja Koneru
  • 502
  • 7
  • 16
0

My guess is that each request by the client will be seen as a new session by the server.

David
  • 34,223
  • 3
  • 62
  • 80
0

If you happen to grab the request headers from your browser, you can see that a SessionID is part of the header. This is used by the server to determine which session belongs to which user.

johnofcross
  • 669
  • 1
  • 6
  • 19
0

Instead of session id being passed via cookie, it is typically passed as a query string in the URL, or as a custom HTTP header. With the scenario you described, however, your user will never obtain a session because you have cookieless set to false.

Josh Stodola
  • 81,538
  • 47
  • 180
  • 227
  • I have created a test application in which i have set cookieless to false and i have disabled the cookies in my browser. The authentication mode is set to forms. Guess what the application still works? – Panache Sep 12 '09 at 13:54
0

I have not implemented this personally. But it should be like:

As Cookiless=false in web.config file and browser has disabled cookies, when first request for the page comes, HTTP module will check for forms authentication cookie. Now it will be empty which send user to login page. Now when second request for any page on website will come it will again find forms authentication cookie empty and send user to login page. So for every request user needs to create new session.

Nirlep
  • 566
  • 1
  • 5
  • 13
0

There are two ways session state can store the unique ID that associates client with server session; by storing an HTTP cookie on the client or by encoding the session ID in the URL.

Session Mode="InProc" is a default mode which stores the session state information in web server. However when you say cookieless="false" you are saying to stored unique ID in cookie. This Id is created when session is created, so during postback ID is picked up from cookie. If cookie are disabled in browser,yes session still will be created and this id is passed along URL.

You can browse to cookies by going to browser settings->Privacy->Content Settings->All cookie and site data->Stored with site name Probable you might find cookies in %userprofile%\AppData\Roaming\Microsoft\Windows\Cookies but might differ from operating system to system.

In cookies you usually store small piece of insensitive personal information. If you need to store sensitive data such as user name and password it is better to encrypt those data.

In cookie you usually store information about the users. For more details please visit URL http://msdn.microsoft.com/en-us/library/system.web.configuration.sessionstatesection.cookieless(v=vs.110).aspx http://msdn.microsoft.com/en-us/library/ff647070.aspx#pagexplained0002_cookielessforms

Chandra Malla
  • 2,399
  • 22
  • 12
0

No, If cookies are disable the session will not work.

if you want to use session when cookies disable then you can pass session thru URL.

Subhash
  • 1