Since HTTP is by its nature a stateless protocol that doesn’t remember anything about a user between requests, web application developers must always deal with handling state information.
The classic ASP takes advantage of a nice little feature of http known as http cookies to store the session state. So what in a sense happens is when the clients send the requests to the server, the server create the session state information and stuff it into an http cookie and hand it back to the browsers, the client.
Now one of the unfortunate side effects of this is that a lot of individuals feel like cookies aren’t necessarily good things, possibly security risks. The ASP.NET addresses this weakness by allowing "cookieless" sessions.
Open the Web.Config in the web site folder, edit the
sessionState as followings:
<configuration>
<system.web>
<sessionState cookieless="true" mode="InProc" timeout="20"></sessionState>
</system.web>
</configuration>
Session state is currently configured for cookieless. What it means is that without making any programming changes to our code ASP.NET will now, instead of embedding our session ID inside of a cookie, it will embed the session ID into the URL. Meaning as we navigate through our site the session ID is actually passed in the URL of the page.
For instance, if you send a request to the test.aspx page in this web site, the URL in the address bar of Internet Explorer is as follows:
http://localhost/mysite/(S(4t5n44r4ufthqpqa3wcvrs55))/test.aspx
The value
4t5n44r4ufthqpqa3wcvrs55 in parentheses is the session ID.
Note: To use the SessionID in ASP.NET, you can use Page.Session.SessionID to get the session ID.
In client side, for Internet Explorer, you must set the
Internet Option --> Privacy to
Block All Cookies.
