tags:

views:

1698

answers:

6
+1  Q: 

Where is session stored if cookie is disabled on client’s machine? What is actually stored in session?

In config file I have the below settings

sessionState mode="InProc" cookieless="false"

Does this indicates that the sessionid is stroed in cookies? If yes then how is it picked and sent to the server and how is it verified across postbacks.

What will happen if cookies are disabled in my browser, will the session(sessionid and session variables) still be created?

Where(default path) are the cookies created and stored by default for sessions and can i change the path?

What format and kind of data is stored in cookies for session?

If i store a class object in session then what is actually stored in cookies?

Also if i use authentication mode as forms with cookies then what will happen if cookies are disabled in browser?

A: 

Each request creates new session

Jan Remunda  2009-09-09 18:37:21
-1: That's definitely not my understanding of what happens here.
Brian MacKay  2009-09-09 18:44:12
-1: No session is created at all. Who is voting this up?
Josh Stodola  2009-09-09 19:12:14
Session is created, but because on the next request is not send a cookie with a sessionId and application cannot find out what is your sessionId, it will be created a new session object. Try Response.Write(Session.SessionID) in your web page and turn off cookies.
Jan Remunda  2009-09-10 05:10:49
A: 

My guess is that each request by the client will be seen as a new session by the server.

David  2009-09-09 18:37:51
+5  A: 

The session cookie is a special non-persistant cookie. It's only stored in memory, so in most cases even when cookies are disabled it still works fine.

It's also possible to enable something called cookieless sesssions where the sessionID is embedded in the URL, like this:

http://yourserver/folder/ (encrypted session ID here) /default.aspx

Here's a link to an MSDN article with more details: http://msdn.microsoft.com/en-us/library/aa479314.aspx

NOTE: It is possible to completely block the session cookie. For instance, in IE8, I just went into Tools > Internet Options > Privacy. When I cranked the slider up to 'High' or greater, my sites never got past the login screen because the session cookie was blocked - in fact, Josh Stodola said below that in this case the session would never even be created on the server.

However, understand that this type of behavior effectively breaks the Internet. So unless you're building a site targeted at conspiracy theorists, in my opinion (and the opinion of most of the largest sites in the world) there's no need to cater to the tiny percentage of users who don't play by the normal rules.

For them, the Internet just isn't going to work the way it's supposed to.

Brian MacKay  2009-09-09 18:39:52
lol... you mean "cookieless sessions"?
blesh  2009-09-09 18:43:37
Already fixed, slowy! :)
Brian MacKay  2009-09-09 18:47:42
In IE6 through IE8, you can also disable session cookies if you go to Privacy > Advanced and check "Override automatic cookie handling", select "Block" under first-party cookies, and leave "Always allow session-cookies" unchecked. But still, if you do this there will be a lot of sites that won't work properly.
Steve Wortham  2009-09-09 19:16:30
+1 for Dino's article- I was going to add it as an answer but you already have
RichardOD  2009-09-09 19:25:40
A: 

If you happen to grab the request headers from your browser, you can see that a SessionID is part of the header. This is used by the server to determine which session belongs to which user.

johnofcross  2009-09-09 18:40:25
A: 

Instead of session id being passed via cookie, it is typically passed as a query string in the URL, or as a custom HTTP header. With the scenario you described, however, your user will never obtain a session because you have cookieless set to false.

Josh Stodola  2009-09-09 19:11:08
I have created a test application in which i have set cookieless to false and i have disabled the cookies in my browser. The authentication mode is set to forms. Guess what the application still works?
Panache  2009-09-12 13:54:02
A: 

I have not implemented this personally. But it should be like:

As Cookiless=false in web.config file and browser has disabled cookies, when first request for the page comes, HTTP module will check for forms authentication cookie. Now it will be empty which send user to login page. Now when second request for any page on website will come it will again find forms authentication cookie empty and send user to login page. So for every request user needs to create new session.

Neil  2009-09-09 20:51:20

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps