Click here to Skip to main content
Click here to Skip to main content

Cookieless Session in ASP.NET

, 26 Jul 2013 CPOL
Rate this:
Please Sign up or sign in to vote.
Cookieless session in ASP.NET

Introduction

There are various reasons to adopt cookieless session. Recently, I implemented cookieless session and in that process, I went through many articles on the internet, but none of them have gone in depth to bring it all together.

To implement cookieless sessions, you don't have to modify your programming model—a simple change in the web.config file does the trick. But with that can come uncovered scenario and you would end up spending considerable time fixing it up just like I did. So let's get started with what and how it has to be changed to make cookieless work for you with no issues.

Now let us go through the steps one by one:

Step 1: Adjust the web.config file

Interestingly enough, you don't have to change anything in your ASP.NET application to enable cookieless sessions, except the following configuration setting.

<sessionState cookieless="true"
                            />                    
                        <authentication mode="Forms">                     
                        <forms loginUrl="Login.aspx" protection="All" timeout="30"
                            name=".ASPXAUTH" path="/" 
                            requireSSL="false" slidingExpiration="true"
                            defaultUrl="default.aspx"
                            cookieless="UseUri" enableCrossAppRedirects="true"/>                   
                        </authentication> 

Step 2: Adjust all of the URL navigations in aspx files

Be careful, the following code breaks the session:

<a runat="server" href="/test/page.aspx">Click</a>

To use absolute URLs, resort to a little trick that uses the ApplyAppPathModifier method on the HttpResponse class. The ApplyAppPathModifier method takes a string representing a URL and returns an absolute URL that embeds session information.

<a runat="server"
href=”<% =Response.ApplyAppPathModifier("page.aspx")%>”
                        >Click</a>

Step 3: Adjust all of the URL navigations in aspx.cs files

If the URL is set in the code, you need to do it in the following way:

this.Tab2.Url = Response.ApplyAppPathModifier("Page.aspx");

Step 4: Create HttpModule to rewrite your incoming URL for enabling cross domain posts

using System;
using System.Collections.Specialized;
using System.Web;
using System.Web.SessionState;
using System.IO;
using System.Text;

namespace CustomModule
{
  public sealed class CookielessPostFixModule : IHttpModule
  {
    public void Init (HttpApplication application)
    {
      application.EndRequest += new
                  EventHandler(this.Application_EndRequest);
    }
    private string ConstructPostRedirection(HttpRequest req,
                                            HttpResponse res)
    {
      StringBuilder build = new StringBuilder();
      build.Append(
  "<html>\n<body>\n<form name='Redirect' method='post' action='");
      build.Append(res.ApplyAppPathModifier(req.Url.PathAndQuery));
      build.Append("' id='Redirect' >");
      foreach (object obj in req.Form)
      {
        build.Append(string.Format(
  "\n<input type='hidden' name='{0}' value = '{1}'>",
          (string)obj,req.Form[(string)obj]));
      }
      build.Append(
  "\n<noscript><h2>Object moved <input type='submit'
                                       value='here'></h2>
                                       </noscript>");
      build.Append(@"</form>
      <script language="'javascript'">
      <!--
      document.Redirect.submit();
      // -->
      </script>
      ");
      build.Append("</body></html>");
      return build.ToString();
    }
    private bool IsSessionAcquired
    {
      get
      {
        return (HttpContext.Current.Items["AspCookielessSession"]!=null && 
        HttpContext.Current.Items["AspCookielessSession"].ToString().Length>0);
      }
    }
    private string ConstructPathAndQuery(string[] segments)
    {
      StringBuilder build = new StringBuilder(); 

      for (int i=0;i<segments.Length;i++)
      {
        if (!segments[i].StartsWith("(") 
                 && !segments[i].EndsWith(")"))
          build.Append(segments[i]);
      }
      return build.ToString();
    }
    private bool IsCallingSelf(Uri referer,Uri newpage)
    {
      if(referer==null || newpage==null)
        return false;
      string refpathandquery = ConstructPathAndQuery(
                                        referer.Segments);
      return refpathandquery == newpage.PathAndQuery;
    }
    private bool ShouldRedirect
    {
      get
      {
        HttpRequest req = HttpContext.Current.Request;

        return (!IsSessionAcquired
                    && req.RequestType.ToUpper() == "POST"
          && !IsCallingSelf(req.UrlReferrer,req.Url));
      }
    }
    private void Application_EndRequest(Object source, EventArgs e)
    {
      HttpRequest req = HttpContext.Current.Request;
      HttpResponse res = HttpContext.Current.Response;
      if (!ShouldRedirect) return;
      res.ClearContent();
      res.ClearHeaders();
      res.Output.Flush();
      char[] chr = ConstructPostRedirection(req,res).ToCharArray();
      res.Write(chr,0,chr.Length);
    }
    public void Dispose()
    {}
  }
}

For the above to be effective, make the below change to your web config:

 <httpModules>
    <add type="CookielessPostFixModule, OurModule"
               name="CookielessPostFixModule" />
  </httpModules> 

Points of Interest

For the above, I have referred to http://trackgc.com/tr/resources/articles/CookielessAuthentication.htm and http://www.developer.com/net/asp/article.php/2216431/Enabling-POST-in-Cookieless-ASPNET-Applications.htm, but there were issues which I have fixed and mentioned there as well as the purpose of having it here is to make sure someone who gets into a condition like mine gets clean material.

If you find some other thing, please let me know or feel free to edit.

Happy programming guys! Smile | :)

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

Pandey Vinay

India India
No Biography provided

Comments and Discussions

 
Questioncookieless session--role of server Pinmemberasian12323-Jan-15 1:59 
GeneralMy rating is 4. PinprofessionalGoel Himanshu2-Aug-14 1:11 
QuestionURL copy issue PinmemberMember 1058724813-Feb-14 22:12 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Terms of Use | Mobile
Web03 | 2.8.150123.1 | Last Updated 27 Jul 2013
Article Copyright 2013 by Pandey Vinay
Everything else Copyright © CodeProject, 1999-2015
Layout: fixed | fluid