Where is the session stored if the cookie is disabled on the client machine? What is actually stored in the session?

A session cookie is a special non-persistent cookie. It is stored only in memory, so in most cases, even when cookies are disabled, it still works fine.

It is also possible to include something called cookieless sesssions where the sessionID is embedded in the URL, for example:

http: // yourserver / folder / (here is the encrypted session identifier) ​​/default.aspx

Here's a link to an MSDN article with more details: http://msdn.microsoft.com/en-us/library/aa479314.aspx

NOTE. . You can completely block the session cookie. For example, in IE8, I just went to Tools> Internet Options> Privacy. When I turned the slider up to High or higher, my sites never passed the login screen because the session cookie was blocked - in fact, Josh Stodola said below that in this case the session would never be created on the server.

However, understand that this type of behavior effectively violates the Internet. Therefore, if you do not build a site focused on conspiracy theorists, in my opinion (and the opinion of most of the largest sites in the world), there is no need to serve a tiny percentage of users who do not play by the usual rules.

For them, the Internet simply will not work as it intended.

Instead of the session identifier passed through the cookie, it is usually passed as a query string in the URL or as a custom HTTP header. However, in the scenario you described, your user will never get a session because you have cookieless set to false.

I have not implemented this personally. But it should be like:

Like Cookiless = false in the web.config file, and the browser disabled cookies, when the first request to the page arrives, the HTTP module checks for cookies for authentication. Now it will be empty, which will send the user to the login page. Now, when the second request comes to any page on the website, he will again find empty cookies for authentication and send the user to the login page. Therefore, for each request, the user must create a new session.

No. If cookies are disabled, the session will not work.

if you want to use the session when cookies are disabled, you can pass the session through the URL.

It is stored directly in the browser

There are two ways to store session state: a unique identifier that associates a client with a server session; by storing the HTTP cookie on the client or by encoding the session identifier in the URL.

Session Mode = "InProc" is the default mode that stores session state information on a web server. However, when you say cookieless = "false", you say to keep the unique identifier in the cookie. This identifier is created when the session is created, therefore, during postback, the identifier is taken from the cookie. If the cookie is disabled in the browser, then a session will be created and this identifier will be transmitted by URL.

You can view cookies by going to browser settings → Privacy → Content Settings → All cookies and site data → Saved with the site name You can probably find cookies in% userprofile% \ AppData \ Roaming \ Microsoft \ Windows \ Cookies, but may vary from operating system to system.

Cookies usually store a small portion of insensitive personal information. If you need to store confidential data, such as username and password, it is better to encrypt this data.

A cookie typically stores user information. For more information, visit the URL http://msdn.microsoft.com/en-us/library/system.web.configuration.sessionstatesection.cookieless(v=vs.110).aspx http://msdn.microsoft. com / en-us / library / ff647070.aspx # pagexplained0002_cookielessforms