Share via

SessionStateSection.Cookieless Property


Gets or sets a value indicating whether cookies are used to identify client sessions.

 property System::Web::HttpCookieMode Cookieless { System::Web::HttpCookieMode get(); void set(System::Web::HttpCookieMode value); };
public System.Web.HttpCookieMode Cookieless { get; set; }
member this.Cookieless : System.Web.HttpCookieMode with get, set
Public Property Cookieless As HttpCookieMode

Property Value

true if all requests are treated as cookieless, or false if no requests are treated as cookieless, or one of the HttpCookieMode values. The default value in ASP.NET version 2.0 is AutoDetect. In earlier versions, the default value was false.



The following code example demonstrates how to get the Cookieless property. Refer to the code example in the SessionStateSection class topic to learn how to access the SessionStateSection object.

// Display the current Cookieless property value.
Console.WriteLine("Cookieless: {0}",
' Display the current Cookieless property value.
Console.WriteLine("Cookieless: {0}", sessionStateSection.Cookieless)


There are two ways that session state can store the unique ID that associates the client with a server session: by storing an HTTP cookie on the client or by encoding the session ID in the URL. Storing the session ID in the cookie is more secure but requires the client browser to support cookies.

For applications that allow clients that do not support cookies, such as a variety of mobile devices, the session ID may be stored in the URL. The URL option has several drawbacks. It requires that the links on the site be relative and that the page be redirected at the beginning of the session with new query-string values, and it exposes the session ID right in the query string, where it can be picked up for use in a security attack.

You are encouraged to use the cookieless mode only if you need to support clients that lack cookie support.

Session state also supports two additional options: UseDeviceProfile and AutoDetect. The former enables the session-state module to determine what mode (cookie or cookieless) is used on a per-client basis based on the browser capabilities. The AutoDetect option performs a handshake with the browser to verify whether a cookie may be stored, and therefore requires an additional request to make the determination. If you need to support cookieless clients, strongly consider using UseDeviceProfile to generate cookieless URLs only for clients that require them.


With UP.Browser 4.1 or UP.Browser 3.2, Redirect always behaves as if the value of the SupportsRedirectWithCookie property of the HttpBrowserCapabilities object is false, unless the Cookieless property in the SessionState section of Web.config has been explicitly set to true.

In ASP.NET version 1.1, the options for this setting were true or false, but with ASP.NET 2.0, the choices are expanded, and AutoDetect is now the default setting. If your Web application has the Cookieless property set to a Boolean value, then Redirect should work as expected for these browsers.

Applies to

See also