ASP.NET 1.1 added support for a cookieless session state. As mentioned in earlier chapters, the cookieless mechanism that was added in ASP.NET 1.1 for session state has been expanded to encompass cookieless support for forms authentication as well anonymous identification. You can easily enable cookieless operations with the following configuration:
<sessionState cookieless="UseUri" />
You can also issue cookieless session identifiers based on the capabilities of a user's browser with one of the following options: AutoDetect or UseDeviceProfile. These options use different detection mechanisms to determine whether the user's browser should be sent a cookieless session identifier. Accessing an application that uses cookieless session state results in the session identifier showing up on the URL
The value in the URL is the same value that is returned from Session.SessionID. If you use the following line of code on the default.aspx page shown earlier:
Response.Write(Session.SessionID + "<br />");
the identifier output on the page matches the value shown in the URL:
This behavior should start a few security antennae wiggling! Now anybody who looks at the address bar in the browser knows his or her session identifier. A user who understands how ASP.NET works will recognize this value and a malicious user that understands ASP.NET session state may start ...
With Safari, you learn the way you learn best. Get unlimited access to videos, live online training,
learning paths, books, interactive tutorials, and more.