Microsoft ASP.NET 4 : Caching and State Management - Tracking Session State

1. Tracking Session State with Cookies

This is the default option for an ASP.NET Web site. In this scenario, ASP.NET generates a hard-to-guess identifier and uses it to store a new Session object. You can see the session identifier come through the cookie collection if you have tracing turned on. Notice how ASP.NET stores the session ID in a request cookie. The tracing information also reveals the names and the values of the session variables. The following graphic shows the session ID in the request details section of the trace:

The following graphic shows tracing information, indicating the session ID is just another cookie:

2. Tracking Session State with the URL

The other main option is to track session state by embedding the session ID as part of the request string. This is useful if you think your clients will turn off cookies (thereby disabling cookie-based session state tracking). Notice that the navigation URL has the session ID embedded in it:

3. Using AutoDetect

When you use AutoDetect, the ASP.NET runtime determines whether the client browser has cookies turned on. If cookies are turned on, the session identifier is passed around as a cookie. If not, the session identifier is stored in the URL.

4. Applying Device Profiles

The UseDeviceProfile option tells ASP.NET to determine whether the browser supports cookies based on the SupportsRedirectWithCookie property of the HttpBrowserCapabilities object set up for the request. Requests that flip this bit to true cause session identifier values to be passed as cookies. Requests that flip this bit to false cause session identifiers to be passed in the URL.

5. Session State Timeouts