Cookieless sessions in asp.net
https://stackoverflow.com/questions/9372965
-
28-10-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
i was recently digging about cookieless sessions, i came accross an article which says that whenever the session is created on the server, its ID is stored in the cookies, on the client machine, i was being thought in my college that sessions are stored on the server, and if the sessionID is in cookies and cookies are stored in clients machine locally, how one can say that session are stored on server, is that right, that sessions are stored on server? if yes then what is the concept of cookieless session, can anyone explain me
Solution
Session state is (almost always) stored on the server, and it is identified by a random number, the session token.
That token needs to be stored by the client, and sent to the server along with his HTTP requests (so that the server can remember that he has seen him before and associate the session to the request).
how one can say that session are stored on server, is that right, that sessions are stored on server?
Only the session token is stored on the client, and since it is a random number, it does not contain any useful information in itself. It only becomes valuable together with the data stored on the server.
if yes then what is the concept of cookieless session
The easiest way to store the token is using cookies. That is what cookies were invented for. Alternatives are handing the cookie back and forth using hidden form variables or as part of the URL.
OTHER TIPS
Session is stored on the server. Each session associated with ID (the simplest session state provider in ASP.NET is just a dictionary in memory with IDs as a keys). This ID is stored in client's cookie as well, but in case of cookieless sessions, ID is stored in the URL (example).
Think of the Session ID as a key in a table, and Session state as the value. Only the key gets sent to clients, not the value.
In the case of ASP.NET, Session state itself is a Dictionary that contains key / value pairs.
If you're using the standard SQL Server session provider, the table I mentioned above is called ASPStateTempSessions. SessionId is the PK, and the serialized Dictionary is stored in either the SessionItemShort or SessionItemLong column.
