Cookieless Session in ASP.NET

February 26, 2019

The Session state in any web technology depend on cookie at the client end to store and resend session id back and forth between client browser and web server.

But Asp.net also supports cookieless sessions with the following attribute addition in the web.config within system.web node.

With the above config setting, it carry the session id in the page url instead of cookie.

Please take a look at the following two page’s Page_Load method code before we run them in both normal and cookie less mode.

Default.aspx

protected void Page_Load(object sender, EventArgs e) {

Session.Add(“CurrentClient”, “Machine A”); Response.Redirect(“ShowSession.aspx”); }

ShowSession.aspx (with a label lblShowCurrentClient )
protected void Page_Load(object sender, EventArgs e) {

if (Session[“CurrentClient”] != null) { lblCurrentClient.Text = “You are accessing it from ” + Session[“CurrentClient”].ToString(); } else { lblCurrentClient.Text = “You are directly accessing this page, so no session created.”;

}

In normal session mode,

Lets access the default page with the URL http://a.b.c.d/CookieLessSession/Default.aspx from a client (Say Machine A).

— It will create the session and will redirect to http://a.b.c.d/CookieLessSession/ShowSession.aspx . The ShowSession.aspx page will show “You are accessing it from Machine A”.

— If you directly access the ShowSession.aspx url from any other machine/ browser instance, then it will show “You are directly accessing this page, so no session created. “

After you do the web.config change to use cookieless session mode,

If you access the default page http://a.b.c.d/CookieLessSession/Default.aspx from machine A,

— It will create the session and will redirect ShowSession.aspx page, but with a little different URL like the following.

http://a.b.c.d/CookieLessSession/(S(5gnky055noa2vfnmdnspjgav))/ShowSession.aspx . The ShowSession.aspx page will show “You are accessing it from Machine A”.

— Here the /(S(5gnky055noa2vfnmdnspjgav))/ part of the URL carry the session id.

FAQ: Now the session is cookie independent. So what will happen if some one visit the ShowSession.aspx page with the above URL (along with session id) from another machine, say Machine B?

A: Till the session out time reached, if some one from ‘Machine B’ access the page with same session id (created by ‘Machine A’) in the URL, he/she will see the session created using Machine A.

Directly accessing http://a.b.c.d/CookieLessSession/(S(5gnky055noa2vfnmdnspjgav))/ShowSession.aspx from Machine B will show:

“You are accessing it from Machine A”

https://burnignorance.com/wp-content/themes/impeka/images/empty/thumbnail.jpg 150 150 Burnignorance | Where Minds Meet And Sparks Fly! Burnignorance | Where Minds Meet And Sparks Fly! https://burnignorance.com/wp-content/themes/impeka/images/empty/thumbnail.jpg February 26, 2019 March 9, 2025

Cookieless Session in ASP.NET

Show truncated string with dots appended with CSS3

How to avoid Memory leak issue in Java

Active Directory Authentication In Web Application