Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

ASP.NET MVC and using cookieless sessions

Tags:

asp.net

asp.net-mvc

There seem to be conflicting opinions about ASP.NET MVC and cookieless sessions. Some people say MVC downright does not support, but others seem to be using MVC and cookieless sessions without any issues. If I create a test MVC project and enable cookieless sessions everything seems to work fine. Does anyone have a definitive and supported answer on the use of cookieless sessions with MVC, i.e. why or why not to use them?

Note: I am aware of the security implications of using cookieless sessions, but in my case and for internal applications the risk of other users stealing sessionId's is not too much of an issue.

like image 319
Mark Erasmus Avatar asked Feb 07 '14 21:02

Mark Erasmus

People also ask

How can we create Cookieless sessions in ASP.NET core?

ASP.NET cookieless options UseCookies - This is default option, set in machine. config file. ASP.NET website will use cookies to store session id, even if client doesn't support them. In case that client refuse to save cookie, session data will be lost and new session is created for each request.

Does ASP.NET session use cookies?

Each time that ASP receives a request for a page, it checks the HTTP request header for a SessionID cookie. After storing the SessionID cookie in the user's browser, ASP reuses the same cookie to track the session, even if the user requests another .

What is the use of cookies in MVC?

Cookies are one of the State Management techniques, so that we can store information for later use. Cookies are small files that are created in the web browser's memory (if they're temporary) or on the client's hard drive (if they're permanent).

Do session variables use cookies in ASP NET MVC?

Session use cookies – Yes : By default Session key is stored in an HTTP non-persistent cookie that the client sends to the server (and server to client) on each request/responses. The server can then read the key from the cookie and re-inflate the server session state.

1 Answers

The definitive answer was in the forums.asp.net post you linked to in your original question. Those answers came straight from the product team members themselves. Cookieless forms auth / cookieless session are deprecated technologies. Nothing the ASP.NET team has done in recent years (MVC, WebAPI, SignalR, Friendly URLs) supports it.

Things might work by happy accident, but this should not be misconstrued as an officially supported scenario. All bugs which have been filed regarding cookieless forms auth / cookieless session are automatically resolved "won't fix" by the product teams.

like image 60
Levi Avatar answered Oct 31 '22 14:10

Levi
Sign in to Comment

Related questions

How can I save first frame of a video as image?
Printing from ASP.NET to a network printer
KnockoutJS, updating ViewModel after ajax call
Chrome browser does not show images generated by HTTP handler
Difference with creating and adding controls in PreInit Init
Get the number of rows of data with SpreadSheetGear?
enforceFIPSPolicy flag in web.config doesn't seem to working for web application
Setting folder default page in aspnet
Is it possible to use Data Annotations for MVC in an ASP.NET WEBFORM Business Object Class?
How can I handle forms authentication timeout exceptions in ASP.NET?
When is Response.IsClientConnected slow?
MVC4 - ContextDependentView - What does it mean?
Do I need to keep a reference to a FileSystemWatcher?
ASPX auth cookie expiration time is always 30 minutes
Web.config allow location access for specific user
Which is the recommended way to fill all controls on a Web Form when user selects a record?
Button disabled but looks active
Cross-domain ajax request basic authentication
Adding multiple rows to DataTable
Web Api - How to detect when a response has finished being sent

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!