Sunday 11 January 2015

Cookieless sessions in ASP.Net

In this article we are going to see the cookieless mode in Asp.net, normally each application is received in client browser by having a send and receive mode of Request and Response. For a every request from user, server maintain a session to identify whether same user is requesting the page or different user requesting the page in application. To identity the user maintain the session id for each user.

Normally the Session Id is stored in the Cookiess as in the name of ASP.NET_SessionId with a value of some random number. For the first request it will generate the number for the sessionid for the user, from the second request from the user it will maintain the same sessionId between the client and server. So to maintain the Session it is mandatory to enable the cookies in client side.

Sometimes there is a chance that the cookie's can be disabled in client Browser, Like block the application to set the data on client side , this means it is blocking the application to set the any data in client side. so now we cant able to store any cookies in client machine, so we cant able to handle the storing of session in the client machine.

We can understand this in a simple example.

Let we create a some Aspx pages from the Login screen, when the user entered the username and password save the credentials in the sessions, so we can access it any time in the application, so now each user have an session id based on that only, individual user information are segregated.

            Session["username"] = username.Text;
            Session["password"] = pwd.Text;

Later in some part of the code if we use to access the values from the session we can able to get it using the simple steps.

Session["username"].ToString();
Session["password"].ToString();

so now there is a scenario that the cookies in the client side is disabled, what will happen we cant able to get the values from Session instead we get a null value.

Below image shows the storing sessionid in cookie in the name of ASP.NET_SessionId



from the above we can see the variable name ASP.NET_SessionId

Now we going to see the state when the cookies disabled, we can do a simple  configuration steps make the session to maintain for user by specifying the web.config Cookieless="true" in sessionstate.

http://server/(session ID here)/sample.aspx

In Cookieless state session id is maintained in the Url of the application like below
session id : S(v4fzi2eitec02vnzmblvkwyu) in the url

http://localhost:17186/S(v4fzi2eitec02vnzmblvkwyu)/sample.aspx

 <sessionState cookieless="true" mode="InProc" customProvider="DefaultSessionProvider">

For every request the session id is maintained in the url with the unique value for the same user.

normally cookieless property have a six values

AutoDetect
UseDeviceProfile
UseCookies
UseUri
true
false

cookieless="AutoDetect" :
************************
 It will automatically detect the status of the cookies, whether cookies enabled in this browser or not. based on this it will decide to maintain the session value in url or in cookies.

For this it will use another cookie name and use some url concat with the application url to check whether cookies are enabled or not.

In the above u can see the cookie name AspxAutoDetectCookiesSupport in the browser, On the first load it will try to place the cookie in the browser in the name of AspxAutoDetectCookiesSupport and concat a query string in the url, to mention that this autodetect the cookies and tested by concat the following line. ?AspxAutoDetectCookieSupport=1 .with the url of application like this

http://localhost:176/(X(1)S(v4fzi2eitec02vnzmblvkwyu))/sample.aspx?AspxAutoDetectCookieSupport=1

The above url is the result url after check and redirect because , when it check for the cookie placed in the name AspxAutoDetectCookiesSupport  ,it doesnt find that so it place the session value in url

 and redirect to the same page again with result

Cookies not enabled resulted url :
http://localhost:17186/(X(1)S(v4fzi2eitec02vnzmblvkwyu))/sample.aspx?AspxAutoDetectCookieSupport=1

After a redirect to another page http://localhost:17186/(X(1)S(v4fzi2eitec02vnzmblvkwyu))/home.aspx

Cookies enabled resulted url :
http://localhost:17186/sample.aspx?AspxAutoDetectCookieSupport=1

After a redirect to another page
http://localhost:17186/home.aspx

cookieless="True":
********************
In this option we are forcing the application to use the cookieless mode and maintain the session in the Url.

cookiesless="false"
********************
In this options we are forcing the application to use the cookie based session mode.

remaining are the same one of the above we have mentioned.when we are using cookieless url based session, then we have to keep in mind that we have to maintain the session id to be passed in the url, otherwise for a new url it will generate a different session.

In Response.Redirect use the relative path to redirect with in the application, so now the session id automatically concat with the url like same below

Response.Redirect("~/home.aspx");

If you use the absolute path in the Response.Redirect then it will create a new one Response.Redirect("http;//localhost/home.aspx");

To avoid this use the uses the ApplyAppPathModifier method on the Response:

Response.ApplyAppPathModifier("/home.aspx");

Normally in this method stealing a session id possible, it gives a ways to session hijacking.

From the above information you can learn some of the information about session and cookieless sessions.