9

How can the session state be maintained in asp.Net, if the cookies are turned off in browser or cookieless="true" is added within sessionmode tags in web.config?

The following tag shows cookieless="true" in web.config.

<sessionState mode="InProc"
  cookieless="true"
  timeout="30"/>
MGeorge
  • 103
  • 1
  • 1
  • 6

2 Answers2

8

ASP.NET framework inserts a unique id to the URL, you can check this by disabling the cookie or by setting the cookieless attribute to true as you did.

According to MSDN:-

By default, the SessionID value is stored in a non-expiring session cookie in the browser.

If you specify cookieless="true" then:

ASP.NET maintains cookieless session state by automatically inserting a unique session ID into the page's URL.

Rahul Singh
  • 21,585
  • 6
  • 41
  • 56
  • Hey Rahul, In the case of sessionId saved in cookies is it a persistent or non persistent cookie? In MSDN it is specified as persistent right? – MGeorge Mar 25 '15 at 04:22
  • @MGeorge - Yes, Session cookies will be persistent by default and its default time is 20 minutes. – Rahul Singh Mar 25 '15 at 04:28
  • is unique session ID in the page's URL safe? I mean to keep cookieless="true" has any drawback?? – pnmhtkr Dec 07 '22 at 12:22
2

Answer is yes, it will still maintain session via URL. It will attach unique identifier for session to URL, that unique identifier is stored in cookie for cookieless = false.

URL will look like this - http://yourserver/folder/(session ID here)/default.aspx

Live example -

http://localhost:2677/WebSite1/(S(3abhbgwjg33aqrt3uat2kh4d))/cookielesssessiondetection.aspx

Here 3abhbgwjg33aqrt3uat2kh4d is session id.

Arindam Nayak
  • 7,346
  • 4
  • 32
  • 48
  • I'm wondering if it's worth still doing this so that Session variables with work in IE. I imagine people still use IE in 2020 but I don't know why. – Rich Dec 04 '20 at 16:33