10

There seem to be conflicting opinions about ASP.NET MVC and cookieless sessions. Some people say MVC downright does not support, but others seem to be using MVC and cookieless sessions without any issues. If I create a test MVC project and enable cookieless sessions everything seems to work fine. Does anyone have a definitive and supported answer on the use of cookieless sessions with MVC, i.e. why or why not to use them?

Note: I am aware of the security implications of using cookieless sessions, but in my case and for internal applications the risk of other users stealing sessionId's is not too much of an issue.

Community
  • 1
  • 1
Mark Erasmus
  • 2,305
  • 6
  • 25
  • 37
  • 1
    not that I'm advocating usage, but I thought someone might find this helpful on cookieless session issues vs web services http://dougrees.blogspot.com/2008/07/using-autodetect-cookieless-sessions.html – Maslow Dec 11 '14 at 16:18

1 Answers1

11

The definitive answer was in the forums.asp.net post you linked to in your original question. Those answers came straight from the product team members themselves. Cookieless forms auth / cookieless session are deprecated technologies. Nothing the ASP.NET team has done in recent years (MVC, WebAPI, SignalR, Friendly URLs) supports it.

Things might work by happy accident, but this should not be misconstrued as an officially supported scenario. All bugs which have been filed regarding cookieless forms auth / cookieless session are automatically resolved "won't fix" by the product teams.

Levi
  • 32,628
  • 3
  • 87
  • 88
  • 1
    Do you have some like from Microsoft, or ASP.NET blogs, roadmaps or something official, where it is stated that cookieless session is deprecated? I will be very grateful for such link – Regfor Nov 17 '14 at 13:24
  • @Regfor see http://www.asp.net/aspnet/overview/web-development-best-practices/what-not-to-do-in-aspnet,-and-what-to-do-instead#cookieless and http://vimeo.com/m/68390507. You can also use my "we automatically resolve all issues as won't fix" statement above as the definitive stance of the product team. – Levi Nov 19 '14 at 13:40
  • 1
    Thanks @Levi. I know about recommendations. But recommended and not recommended is not the same as deprecated. Only one link, that I've found, where is something stated, that cookieless is deprecated http://blogs.msdn.com/b/rickandy/archive/2012/03/23/securing-your-asp-net-mvc-4-app-and-the-new-allowanonymous-attribute.aspx. There is stated, that cookieless is not supported by ASP.NET MVC, but it could be subjective opinion of author. Anyway there is no link were is written that cookieless is obsolete or deprecated. – Regfor Nov 19 '14 at 13:51
  • About "want fix". Actually to convince somebody to fix cookieless, link with clear statement that it is deprecated, helps a lot. In link to MSDN - it is simple not recommended. In your NDC video, despite Damian Edwards is Microsoft employee, he is not speaking that cookieless deprecated, he says only not to use it because of easier session hijacking – Regfor Nov 19 '14 at 14:15
  • 1
    If the ASP.NET team is telling you in videos, blog posts, forums, and official pages on www.asp.net not to do something, that's pretty much the equivalent of deprecated. If you don't believe me then file a bug on Connect and watch how quickly it gets closed as "won't fix". :) – Levi Nov 22 '14 at 03:37