HttpSessionState.IsCookieless Property
Definition
Important
Some information relates to prerelease product that may be substantially modified before it’s released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Gets a value indicating whether the session ID is embedded in the URL or stored in an HTTP cookie.
public:
property bool IsCookieless { bool get(); };
public bool IsCookieless { get; }
member this.IsCookieless : bool
Public ReadOnly Property IsCookieless As Boolean
Property Value
true
if the session is embedded in the URL; otherwise, false
.
Examples
The following code example sets the cookieless
session attribute to true in the Web.config file.
<configuration>
<system.web>
<sessionState
mode="InProc"
cookieless="true"
regenerateExpiredSessionId="true"
timeout="30" />
</system.web>
</configuration>
Remarks
ASP.NET identifies sessions uniquely with each browser. By default, the unique identifier for a session is stored in a non-expiring session cookie in the browser. You can specify that session identifiers not be stored in a cookie by setting the cookieless
attribute to true
in the sessionState configuration element.
Note
To improve the security of your application, your application should allow users to log out, at which point it should call the Abandon method. This reduces the potential for an unwanted source using the unique identifier in the URL to retrieve private data stored in the session for a user.
ASP.NET maintains cookieless session state by automatically inserting a unique session ID into the page's URL. For example, the following URL has been modified by ASP.NET to include the unique session ID lit3py55t21z5v55vlm25s55:
http://www.example.com/(S(4danlfat035muve4g0mvgfrr))/orderform.aspx
ASP.NET modifies the links contained in all requested pages by embedding a session-ID value in the links just before sending each page to the browser. Session state is maintained as long as the user follows the path of links that the site provides. However, if the user agent rewrites a URL, the session-state instance will be lost.
The session ID is embedded in the URL after the slash that follows the application name and before any remaining file or virtual-directory identifier. This allows ASP.NET to resolve the application name before involving the SessionStateModule in the request.
By default, session identifiers used in cookieless sessions are recycled. That is, if a request is made with a session ID that has expired, a new session is started using the session ID supplied with the request. This behavior can result in the unwanted sharing of session data when a link that contains a cookieless session ID is shared with multiple browsers, perhaps through a search engine or other program. You can reduce the possibility of session data being shared by multiple clients by disabling the recycling of session identifiers. To do this, set the regenerateExpiredSessionId
attribute of the sessionState configuration element to true
. This will result in a new session ID being generated when a cookieless session request is made with an expired session ID. Note that if the request made with the expired session ID uses the HTTP POST
method, then any posted data will be lost when regenerateExpiredSessionId
is true
, as ASP.NET performs a redirect to ensure that the browser has the new session identifier in the URL.
Note
While setting the regenerateExpiredSessionId
attribute to true
reduces the possibility of unwanted sharing of session data, it does not protect against an unwanted source gaining access to the session of another user by obtaining the SessionID value and including it in requests to the server. If you are storing private or sensitive information in session state, it is recommended that you use SSL to encrypt any communication between the browser and server that includes the SessionID.