Export (0) Print
Expand All

SessionStateSection.Cookieless Property

Gets or sets a value indicating whether cookies are used to identify client sessions.

Namespace:  System.Web.Configuration
Assembly:  System.Web (in System.Web.dll)

[ConfigurationPropertyAttribute("cookieless")]
public HttpCookieMode Cookieless { get; set; }

Property Value

Type: System.Web.HttpCookieMode
true if all requests are treated as cookieless, or false if no requests are treated as cookieless, or one of the HttpCookieMode values. The default value in ASP.NET version 2.0 is AutoDetect. In earlier versions, the default value was false.

There are two ways that session state can store the unique ID that associates the client with a server session: by storing an HTTP cookie on the client or by encoding the session ID in the URL. Storing the session ID in the cookie is more secure but requires the client browser to support cookies.

For applications that allow clients that do not support cookies, such as a variety of mobile devices, the session ID may be stored in the URL. The URL option has several drawbacks. It requires that the links on the site be relative and that the page be redirected at the beginning of the session with new query-string values, and it exposes the session ID right in the query string, where it can be picked up for use in a security attack.

You are encouraged to use the cookieless mode only if you need to support clients that lack cookie support.

Session state also supports two additional options: UseDeviceProfile and AutoDetect. The former enables the session-state module to determine what mode (cookie or cookieless) is used on a per-client basis based on the browser capabilities. The AutoDetect option performs a handshake with the browser to verify whether a cookie may be stored, and therefore requires an additional request to make the determination. If you need to support cookieless clients, strongly consider using UseDeviceProfile to generate cookieless URLs only for clients that require them.

NoteNote:

With UP.Browser 4.1 or UP.Browser 3.2, Redirect always behaves as if the value of the SupportsRedirectWithCookie property of the HttpBrowserCapabilities object is false, unless the Cookieless property in the SessionState section of Web.config has been explicitly set to true.

In ASP.NET version 1.1, the options for this setting were true or false, but with ASP.NET 2.0, the choices are expanded, and AutoDetect is now the default setting. If your Web application has the Cookieless property set to a Boolean value, then Redirect should work as expected for these browsers.

The following code example demonstrates how to get the Cookieless property. Refer to the code example in the SessionStateSection class topic to learn how to access the SessionStateSection object.

// Display the current Cookieless property value.
Console.WriteLine("Cookieless: {0}",
  sessionStateSection.Cookieless);

Windows 7, Windows Vista, Windows XP SP2, Windows XP Media Center Edition, Windows XP Professional x64 Edition, Windows XP Starter Edition, Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows Server 2000 SP4, Windows Millennium Edition, Windows 98

The .NET Framework and .NET Compact Framework do not support all versions of every platform. For a list of the supported versions, see .NET Framework System Requirements.

.NET Framework

Supported in: 3.5, 3.0, 2.0

Community Additions

ADD
Show:
© 2014 Microsoft