Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

If HTTP is stateless, how does ASP.NET MVC support sessions?

I get that regular ASP finagles statefullness using viewstate, but MVC doesn't try to perpetuate the bold-faced lie of statefulness. So how is it able to maintain sessions?

like image 362
sircodesalot Avatar asked Feb 16 '23 14:02

sircodesalot


2 Answers

By default it stores a randomly generated number in a cookie and stores that in memory. If the browser says it doesn't support cookies, asp.net will then instead add the session key in the url, it will show up like http://myurl.com/(S(rpfa4y3c5oe2c555ljanprek))/Controller/Action

like image 100
Solmead Avatar answered Apr 01 '23 06:04

Solmead


It is using a Session ID to identify a user, stored in Cookies. Spoofing is possible if your know the victim's ID, and if other security measurements won't interfere (e.g IP based authentication).

like image 38
Mark Segal Avatar answered Apr 01 '23 07:04

Mark Segal