Session and Cookies
I have seen so many posts in newsgroups asking questions related to cookies and their relationship with asp.net session. So, I thought of making a small post explaining the role cookies play in asp.net session
Typical SessionState element in a web.config file looks as follows
<sessionState
mode="InProc"
stateConnectionString="tcpip=127.0.0.1:42424"
sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes"
cookieless="false"
timeout="20"
/>
Most of us are pretty familiar with the first three attributes, which simply give the information about where the session state is stored. So, let’s jump to the cookieless="false” attribute
This attribute tells the asp.net whether to use cookies to store the session identifier or not.
Little background
Anytime, you request a page from the web server by making a GET request or POST request, asp.net runs the page in a session. If the session already exists asp.net simply executes the page in that session, if not it would create a new session to serve the request. As you know, asp.net along with many web technologies is state less, i.e. a request has no knowledge of the previous or the next requests. Therefore, asp.net will have no idea if the request you made is the first request, so it needs to create a session for you, or you made a second request, so it needs to use the previously created session. So, there needs to be some mechanism to inform asp.net to use previously created session information if it hasn’t been timed out and not go crazy and create 100 sessions for 100 requests. That is exactly what we are trying to do with the Cookieless attribute in the above sessionState element
Lets look at the two solutions .net provide to solve this problem
First Solution
When you have cookieless="false" we are telling asp.net to store the identifier of the session it created in a temporary browser cookie. So, the next time we make a new request or do a postback within the same browser, asp.net would read this browser cookie and determine that this request belongs to the previously created session. If that session hasn’t timed out, asp.net simply serves the request and use that session information without creating a new session
Caveat
If your browser does not accept cookies and you have cookieless="false", then you are busted. Asp.net would create a new session for every request you make, whether it is a GET or POST request and you wouldn’t be able to use any session information you stored between your requests. The reason for this behavior is, you are telling the asp.net to use cookie to store the session identifier and yet not providing a browser setting which accept the cookies.
So to get around this problem, please adjust your browser security settings to allow cookies. The typical security setting for browser to accept cookies is Medium High
Second Solution
Now the second case , when you have cookieless="true" you are telling asp.net not to use cookies to store the session identifier. So, in this case our poor asp.net gets panicked and mess up with the url’s. A typical url in this case looks as follows
http://www.yourdomain.com/(v5j2hoqkijx0dsqwry1kpojx)/yourPage.aspx
You could see that crazy text appended between your domain name and your page address. As you guessed it is the session id. So, asp.net creates this mangled url’s incase you do not let it to use cookies to store the session identifier. The advantage of this approach is, you are not making any assumptions about the browser behavior, but the disadvantage is the urls are not user friendly and can not be book marked.