Relative links automatically gain the session ID

Question

Hello,

Because the session ID is inserted in the current URL, relative links also automatically gain the session ID. In other words, if the user is currently stationed on Page1.aspx and clicks a relative link to Page2.aspx, the relative link includes the current session ID as part of the URL. The only real limitation of cookieless state is that you cannot use absolute links, because they will not contain the session ID.

I don’t understand why relative links are able to gain session ID, but not absolute links?

Thank you

Answer 1

If you use cookieless sessions, then a session id is inserted into the url like this:

http://www.mysite.com/12345/Default.aspx

Now if you link from default.aspx to: "http://www.mysite.com/dosomething.aspx" (<a href="http://www.mysite.com/dosomething.aspx"&gt;...&lt;/a&gt;), the link with the session is lost. If you have used "dosomething.aspx" (<a href="dosomething.aspx">...</a>) as the link, the browser will resolve this to:

http://www.mysite.com/12345/dosomething.aspx

As you can see, the sessionid now is known to the server.

Answer 2

ASP.NET uses a trick that parses the URL so that from the client's perspective it is in the same directory so it will always retain the session id without you having to worry about changing your javascript or external javascript files, etc.

Example: http://localhost:50311/SomeWebSite/(S(f2rvdgj1bj1nyuzhfeqrvveq))/Page2.aspx

Normally the URL would be "http://localhost:50311/SomeWebSite/Page2.aspx" but since the web client (browser) thinks that the session id is a directory (/(S(f2rvdgj1bj1nyuzhfeqrvveq))/) it will happily try to stay in that same directory.

This way, ASP.NET does not have at actually reparse the urls outputted, the client automatically just forwards it.

If you want absolute URL's to gain the session ID, it should be trivial to create a special anchor control that verifies that the the target url is in the root of your application so you don't pass along that session id to an external application, which wouldn't know what to do with it.

Answer 3

hello,

ASP.NET uses a trick that parses the URL so that from the client's perspective it is in the same directory so it will always retain the session id without you having to worry about changing your javascript or external javascript files, etc.

Example: http://localhost:50311/SomeWebSite/(S(f2rvdgj1bj1nyuzhfeqrvveq))/Page2.aspx

Normally the URL would be "http://localhost:50311/SomeWebSite/Page2.aspx" but since the web client (browser) thinks that the session id is a directory (/(S(f2rvdgj1bj1nyuzhfeqrvveq))/) it will happily try to stay in that same directory.

And what if Page2.aspx was actually located in SomeWebSite directory?How would URL then look?

This way, ASP.NET does not have at actually reparse the urls outputted, the client automatically just forwards it.

So client doesn’t have to postback to the server(in order for server to create the following URL) to get the following URL http://localhost:50311/SomeWebSite/(S(f2rvdgj1bj1nyuzhfeqrvveq))/Page2.aspx , but instead URL is formed by the browser?

If you want absolute URL's to gain the session ID, it should be trivial to create a special anchor control that verifies that the the target url is in the root of your application so you don't pass along that session id to an external application, which wouldn't know what to do with it.

I still don’t understand why session ID isn’t put at the end of URL and that way absolute links would also gain the session ID