Export (0) Print
Expand All
This topic has not yet been rated - Rate this topic

HttpSessionState.IsCookieless Property

Gets a value indicating whether the session ID is embedded in the URL or stored in an HTTP cookie.

Namespace: System.Web.SessionState
Assembly: System.Web (in system.web.dll)
public bool IsCookieless { get; }
/** @property */
public boolean get_IsCookieless ()

public function get IsCookieless () : boolean

Not applicable.

Property Value

true if the session is embedded in the URL; otherwise, false.

ASP.NET identifies sessions uniquely with each browser. By default, the unique identifier for a session is stored in a non-expiring session cookie in the browser. You can specify that session identifiers not be stored in a cookie by setting the cookieless attribute to true in the sessionState configuration element.

NoteNote:

To improve the security of your application, your application should allow users to log out, at which point it should call the Abandon method. This reduces the potential for an unwanted source using the unique identifier in the URL to retrieve private data stored in the session for a user.

ASP.NET maintains cookieless session state by automatically inserting a unique session ID into the page's URL. For example, the following URL has been modified by ASP.NET to include the unique session ID lit3py55t21z5v55vlm25s55:

http://www.example.com/(S(4danlfat035muve4g0mvgfrr))/orderform.aspx

ASP.NET modifies the links contained in all requested pages by embedding a session-ID value in the links just before sending each page to the browser. Session state is maintained as long as the user follows the path of links that the site provides. However, if the user agent rewrites a URL, the session-state instance will be lost.

The session ID is embedded in the URL after the slash that follows the application name and before any remaining file or virtual-directory identifier. This allows ASP.NET to resolve the application name before involving the SessionStateModule in the request.

By default, session identifiers used in cookieless sessions are recycled. That is, if a request is made with a session ID that has expired, a new session is started using the session ID supplied with the request. This behavior can result in the unwanted sharing of session data when a link that contains a cookieless session ID is shared with multiple browsers, perhaps through a search engine or other program. You can reduce the possibility of session data being shared by multiple clients by disabling the recycling of session identifiers. To do this, set the regenerateExpiredSessionId attribute of the sessionState configuration element to true. This will result in a new session ID being generated when a cookieless session request is made with an expired session ID. Note that if the request made with the expired session ID uses the HTTP POST method, then any posted data will be lost when regenerateExpiredSessionId is true, as ASP.NET performs a redirect to ensure that the browser has the new session identifier in the URL.

NoteNote:

While setting the regenerateExpiredSessionId attribute to true reduces the possibility of unwanted sharing of session data, it does not protect against an unwanted source gaining access to the session of another user by obtaining the SessionID value and including it in requests to the server. If you are storing private or sensitive information in session state, it is recommended that you use SSL to encrypt any communication between the browser and server that includes the SessionID.

The following code example sets the cookieless session attribute to true in the Web.config file.

<configuration>
  <system.web>
    <sessionState 
      mode="InProc"
      cookieless="true"
      regenerateExpiredSessionId="true"
      timeout="30" />
  </system.web>
</configuration>

Windows 98, Windows Server 2000 SP4, Windows Server 2003, Windows XP Media Center Edition, Windows XP Professional x64 Edition, Windows XP SP2, Windows XP Starter Edition

The Microsoft .NET Framework 3.0 is supported on Windows Vista, Microsoft Windows XP SP2, and Windows Server 2003 SP1.

.NET Framework

Supported in: 3.0, 2.0, 1.1, 1.0
Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.