SessionStateSection.Cookieless Property
Important
Some information relates to prerelease product that may be substantially modified before it’s released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Gets or sets a value indicating whether cookies are used to identify client sessions.
public:
property System::Web::HttpCookieMode Cookieless { System::Web::HttpCookieMode get(); void set(System::Web::HttpCookieMode value); };
[System.Configuration.ConfigurationProperty("cookieless")]
public System.Web.HttpCookieMode Cookieless { get; set; }
[<System.Configuration.ConfigurationProperty("cookieless")>]
member this.Cookieless : System.Web.HttpCookieMode with get, set
Public Property Cookieless As HttpCookieMode
true
if all requests are treated as cookieless, or false
if no requests are treated as cookieless, or one of the HttpCookieMode values. The default value in ASP.NET version 2.0 is AutoDetect. In earlier versions, the default value was false
.
- Attributes
The following code example demonstrates how to get the Cookieless property. Refer to the code example in the SessionStateSection class topic to learn how to access the SessionStateSection object.
// Display the current Cookieless property value.
Console.WriteLine("Cookieless: {0}",
sessionStateSection.Cookieless);
' Display the current Cookieless property value.
Console.WriteLine("Cookieless: {0}", sessionStateSection.Cookieless)
There are two ways that session state can store the unique ID that associates the client with a server session: by storing an HTTP cookie on the client or by encoding the session ID in the URL. Storing the session ID in the cookie is more secure but requires the client browser to support cookies.
For applications that allow clients that do not support cookies, such as a variety of mobile devices, the session ID may be stored in the URL. The URL option has several drawbacks. It requires that the links on the site be relative and that the page be redirected at the beginning of the session with new query-string values, and it exposes the session ID right in the query string, where it can be picked up for use in a security attack.
You are encouraged to use the cookieless mode only if you need to support clients that lack cookie support.
Session state also supports two additional options: UseDeviceProfile and AutoDetect. The former enables the session-state module to determine what mode (cookie or cookieless) is used on a per-client basis based on the browser capabilities. The AutoDetect option performs a handshake with the browser to verify whether a cookie may be stored, and therefore requires an additional request to make the determination. If you need to support cookieless clients, strongly consider using UseDeviceProfile to generate cookieless URLs only for clients that require them.
Note
With UP.Browser 4.1 or UP.Browser 3.2, Redirect always behaves as if the value of the SupportsRedirectWithCookie property of the HttpBrowserCapabilities object is false
, unless the Cookieless property in the SessionState section of Web.config has been explicitly set to true
.
In ASP.NET version 1.1, the options for this setting were true
or false
, but with ASP.NET 2.0, the choices are expanded, and AutoDetect is now the default setting. If your Web application has the Cookieless property set to a Boolean value, then Redirect should work as expected for these browsers.
Product | Versions |
---|---|
.NET Framework | 2.0, 3.0, 3.5, 4.0, 4.5, 4.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8, 4.8.1 |
.NET feedback
.NET is an open source project. Select a link to provide feedback: