Cookies are used for session management and forms authentication. If a user has his cookies disabled, there are two options: - Ignore such users <bad bad> - Use cookieless session instead
How to: - No code change required, simply change the web.config file (required) <sessionState cookieless="true" /> - Refactor code to avoid storing valuable information (recommended) - Reduce the lifetime of a session to less than the default 20 minutes (recommended) - Use relative links in pages (recommended). To use absolute URLs, use ApplyAppPathModifier method on the HttpResponse class: <a runat="server" href=<% =Response.ApplyAppPathModifier("/test/page.aspx")%> >Click</a>
Internals: - Cookieless sessions embed the session ID in the URL and store session information on the server ... http://yourserver/folder/(session ID here)/default.aspx - Two runtime modules are used: SessionStateModule and aspnet_filter.dll. - The <sessionState> node in web.config can also be used to configure other aspects of the session state management, including the storage medium and the connection strings.
Pros: - Session management works in cookieless environment - Forms authentication works in cookieless environment [ASP.Net 2.0 only] - Cookieless environment avoids risks associated with cookie theft
Cons: - Exposes app to session hijacking - Opening a new browser window result in a new session and thus the old session information is lost. - Web app pages can't embed absolute, fully qualified links. Such links will result in new session. Must always use relative links.
References: http://msdn.microsoft.com/asp.net/default.aspx?pull=/library/en-us/dnaspp/html/cookieless.asp http://www.microsoft.com/technet/technetmag/issues/2005/01/SessionHijacking/default.aspx http://msdn.microsoft.com/msdnmag/issues/04/08/WickedCode/default.aspx