How to configure session state to use Uri in ASP.NET

Software developer can configure session state through web.config file for his current application (which is found in the same virtual directory as the .aspx web page files). UseUri is the one of possible modes for HttpCookieMode. When this mode is set cookies will be never used, regardless of the capabilities of the browser or device. Instead, the session ID is stored in the URL.

<?xml version=”1.0” encoding=”utf-8” ?>
<configuration>
     <system.web>
     <!— other settings are omitted. —>
     <sessionState
        cookieless=”UseUri” cookieName=”ASP.NET_SessionID”
        regenerateExpiredSessionID=”true”
        timeout=”20”
        mode=”InProc”
        stateConnectionString=”tcpip=127.0.0.1:42424”
        stateNetworkTimeout=”10”
        sqlConnectionString=”data source=127.0.0.1;Integrated Security=SSPI”
        sqlCommandTimeout=”30” allowCustomSqlDatabase=”false”
        customProvider=””
/>
</system.web>
</configuration>


In cookieless mode, the session ID will automatically be inserted into the URL. When ASP.NET receives a request, it will remove the ID, retrieve the session collection, and forward the request to the appropriate directory. Because the session ID is inserted in the current URL, relative links also automatically gain the session ID i.e. if the user is currently on WebPage1.apsx and click a relative link to WebPage2.aspx, the relative link includes the current station ID as part of the URL. The real limitation of cookieless mode is that software developer can use absolute links, because APS.NET cannot insert the session ID into them.

By default, ASP.NET allows software developer to reuse a session identifier. Here there is a potential security risk, because session ID might appear in a public place – such in a result page in a search engine. This could lead to multiple users accessing the server with the same session identifier and then all joining the same session with the same data. To avoid this risk, software developer should include the optional regenerate ExpiredSessionID attribute and set it to true whenever he uses cookieless sessions. In this case, a new session ID will be issued if a user connects with an expired session ID. Based on that, this process forces the current page to lose all view state and form data, because ASP.NET performs a redirect to make sure the browser has a new session ID.