If HTTP is stateless, how does ASP.NET MVC support sessions?

Question

I get that regular ASP finagles statefullness using viewstate, but MVC doesn't try to perpetuate the bold-faced lie of statefulness. So how is it able to maintain sessions?

Answer 1

By default it stores a randomly generated number in a cookie and stores that in memory. If the browser says it doesn't support cookies, asp.net will then instead add the session key in the url, it will show up like http://myurl.com/(S(rpfa4y3c5oe2c555ljanprek))/Controller/Action

Answer 2

It is using a Session ID to identify a user, stored in Cookies. Spoofing is possible if your know the victim's ID, and if other security measurements won't interfere (e.g IP based authentication).