As noted in the first section of this chapter, using cookies can be risky. For various reasons, cookies do not work with a certain percentage of browsers used to request pages from your Web site.
By default, session state relies on cookies. The session state facility uses the ASP.NET_SessionID cookie to track users as they move from page to page. If the cookie cannot be added to a user's browser, every request made by the user starts a new user session. Any session data associated with that user is lost when a new page is requested .
The ASP.NET framework includes an option to enable cookieless sessions. Cookieless sessions enable you to take advantage of session state without relying on browser cookies.
Cookieless sessions are implemented with a clever trick. When a user makes the first request to a Web site with cookieless sessions enabled, the URL used for the request is automatically modified to include the user's session ID. For example, if a user makes a request for http://mysite.com/mypage.aspx , the request is automatically modified to http://mysite.com/(nd4vqe2fnbmnwi451fwvda45)/mypage.aspx . The part of the URL that appears in parentheses is the session ID for the current user.
After the session ID is embedded in the URL of the first page request, the session ID will continue to be associated with the user throughout his or her visit to the Web site. The session ID is passed as part of the base URL whenever the user clicks a relative link or submits a form.
Because the session ID is automatically passed from one page to another, the user can be tracked without relying on a cookie. So, by using cookieless sessions, you get all the advantages of session state without the worries about browser incompatibility .
Enabling Cookieless Sessions
You enable cookieless sessions by modifying a single attribute in the Web.Config file. A Web.Config file with the proper settings is included in Listing 16.7 (this file can be found in the Cookieless subdirectory).
Listing 16.7 Cookieless/Web.Config
<configuration> <system.web> <sessionState cookieless="true" /> </system.web> </configuration>
The C# version of this code can be found on the CD-ROM.
In the Web.Config file in Listing 16.7, the cookieless attribute is set to the value true . This is the only thing you need to do to enable cookieless sessions.
Cookieless sessions are fully compatible with managing state in process, in a Windows service, or in a database table. There's nothing wrong with enabling cookieless sessions and storing the session data in a database table.
Examining Limitations of Cookieless Sessions
One very significant limitation is imposed on you when you use cookieless sessions. If you choose to use cookieless sessions, you cannot use absolute URLs when linking between pages. You must design your Web site in such a way that every link uses a URL that is relative to the current page. For example, all the following links work fine with a cookieless session:
<a href="mypage.aspx">Click Here</a> <a href="mydir/mypage.aspx">Click Here</a> <a href="http://mypage.aspx">Click Here</a>
However, the following links do not work with a cookieless session:
<a href="/mypage.aspx">Click Here</a> <a href="http://mysite.com/mypage.aspx">Click Here</a>
Clicking either of these two links starts a new user session, and all the items stored in session state are lost. Because the links include the full path to the page, the session ID is not added.
The same limitation applies to using forms or the Redirect statement. When specifying paths, you must always specify the path relative to the current page.
Bookmarking a page actually works quite well with cookieless sessions. If you bookmark a page and return to the page after the session expires , you don't receive an error. However, all session data is lost. This works no differently than normal user sessions.