Home/ Questions/Q 6850869
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T01:10:39+00:00

In my website I am not using cookies. When the user logs in, I

  • 0

In my website I am not using cookies. When the user logs in, I validate the user credentials by getting password from database and if user credentials are validated I store the Email ID and other user related information into a session. I use the session values in other pages to validate the user for that page.

WebConfig:

<sessionState cookieless="true" />
    <authentication mode="Forms">
      <forms name=".YAFNET_Authentication" loginUrl="Home.aspx" 
protection="All" timeout="43200" cookieless="UseUri"/>
    </authentication>

If I select UseUri for cookiless then the url is 

(S(2zlu5ry2ewsqfuzkfcmy1xl5))/Home.aspx

What is attached to my url, Is it secure to expose this value, I want to use cookie-less session because most of the iPhones browsing the site have cookies disabled.

I have an SSL certificate for my website. I am worried if displaying the above value in url will compromise the security?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    by default session id values are stored in cookies. If you mention cookieless mode,session id will be appended to the URL.

    FROM MSDN
    http://msdn.microsoft.com/en-us/library/ms178581.aspx

    Session Identifiers

    Sessions are identified by a unique identifier that can be read by
    using the SessionID property. When session state is enabled for an
    ASP.NET application, each request for a page in the application is
    examined for a SessionID value sent from the browser. If no SessionID
    value is supplied, ASP.NET starts a new session and the SessionID
    value for that session is sent to the browser with the response.

    By default, SessionID values are stored in a cookie. However, you can
    also configure the application to store SessionID values in the URL
    for a “cookieless” session.

    A session is considered active as long as requests continue to be made
    with the same SessionID value. If the time between requests for a
    particular session exceeds the specified time-out value in minutes,
    the session is considered expired. Requests made with an expired
    SessionID value result in a new session.

    Security Note SessionID values are sent in clear text, whether as a
    cookie or as part of the URL. A malicious user could get access to the
    session of another user by obtaining the SessionID value and including
    it in requests to the server. If you are storing sensitive information
    in session state, it is recommended that you use SSL to encrypt any
    communication between the browser and server that includes the
    SessionID value.

    • 0