Strange string in IE Address bar and in source

Question

This may or may not be a programming question, but one or two users of my website have got some strange strings being inserted into their address bar.

The address should be: http://URL/Couple of Folders/page.aspx

but occassionally the same thing becomes: http://URL/(X(1)F(qHfgTf50ahMY47b-lnz3ovk89OA4AbMN4S-sYVZCgCULL))/Folders/Page.aspx

The string is also in the action field as so:

<form name="aspnetForm" method="post" action="/**(X(1)F(qHfgTf50ahMY47b-lnz3ovk89OA4AbMN4S-sYVZCgCULL))**/<Page>.aspx" onsubmit="javascript:return WebForm_OnSubmit();" id="aspnetForm">

I'm no server/IIS expert, so please excuse me if this is a dumb question, but what is the strange string and do I/my clients need to worry?

Answer 1

Hi there,

Looks like you have cookieless sessions set to auto in your web config.

If a user allows cookies, their sessionID is stored in an in memory cookie. If they don't, ASP.Net pushed the sessionID into the URL, and this is used to identify which user is making the request. The strange string of characters you are seeing are sessionIDs for those people who have cookies switched off.

There's not really anything to worry about here, although it does make session hijacking a little easier... Probably wouldn't stress about this though.

Hope it helps...

Answer 2

Please check your sessionstate node settings in web.config. The cookieless attribute in sessionstate node must be set to false as shown in the following settings.

<sessionState mode="Off|InProc|StateServer|SQLServer"
              cookieless="true|false"
              timeout="number of minutes"
              stateConnectionString="tcpip=server:port"
              sqlConnectionString="sql connection string"
              stateNetworkTimeout="number of seconds"/>