hits counter

IIS/ASP.NET Cookieless Support Not Working As Expected

In one of the environments I work, cookies cannot be used because the pages run inside web browser controls running on a client application and cookies end up being shared by all browsers.

Fortunately, ASP.NET allows us to persist some cookies as part of the URL.

To persist the session state identifier cookie in the URL we just need to add the following configuration:

<configuration>
<system.web>
<sessionState cookieless="UseUri" />
</system.web>
</configuration>

and you’ll get URLs like this:

http://localhost/Cookieless/(S(jcmwek3ja0lvdpbwoacpjirv))/default.aspx

The way IIS and ASP.NET do this is by IIS removing the section between parenthesis after the virtual directory path and adding the AspFilterSessionId HTTP header to the request. Than, ASP.NET picks it up and extracts the cookie.

I wrote this simple page to demonstrate this working:

<%@ Page Language="C#" AutoEventWireup="true" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="Head1" runat="server">
    <title></title>
</head>
<body>
    <form id="form1" runat="server">
    <div>
        <table>
            <tr>
                <td>Raw URL</td>
                <td><%= Request.RawUrl %></td>
            </tr>
            <tr>
                <td>Cookiless Cookies<br />AspFilterSessionId Request HTTP Header</td>
                <td><%= Request.Headers["AspFilterSessionId"] %></td>
            </tr>
            <tr>
                <td>Session ID</td>
                <td><%= Session.SessionID %></td>
            </tr>
        </table>
    </div>
    </form>
</body>
</html>

For the above URL, we'll get a page like this:

    <td width="200">/Cookieless/default.aspx</td>
  </tr>

  <tr>
    <td>Cookiless Cookies 
      <br />AspFilterSessionId Request HTTP Header</td>

    <td>S(jcmwek3ja0lvdpbwoacpjirv)</td>
  </tr>

  <tr>
    <td>Session ID</td>

    <td>jcmwek3ja0lvdpbwoacpjirv</td>
  </tr>
</tbody></table>

IIS strips these cookies even for serving static content like cascading stylesheets.

You can test this by creating a default theme. You can do this by adding a Default folder under the App_Themes folder and adding a Styles.css file to it:

body
{
    background-color: Yellow;
}
table, tr, td
{
    border: thin solid black;
}

and setting the theme as default using the following configuration:

<configuration>
  <system.web>
    <sessionState cookieless="UseUri" />
    <pages theme="Default"/>
  </system.web>
</configuration>

And you'll get a "pretier" page:

Raw URL 
    <td style="border-right: black thin solid; border-top: black thin solid; border-left: black thin solid; border-bottom: black thin solid" width="200">/Cookieless/default.aspx</td>
  </tr>

  <tr>
    <td style="border-right: black thin solid; border-top: black thin solid; border-left: black thin solid; border-bottom: black thin solid">Cookiless Cookies 
      <br />AspFilterSessionId Request HTTP Header</td>

    <td style="border-right: black thin solid; border-top: black thin solid; border-left: black thin solid; border-bottom: black thin solid">S(jcmwek3ja0lvdpbwoacpjirv)</td>
  </tr>

  <tr>
    <td style="border-right: black thin solid; border-top: black thin solid; border-left: black thin solid; border-bottom: black thin solid">Session ID</td>

    <td style="border-right: black thin solid; border-top: black thin solid; border-left: black thin solid; border-bottom: black thin solid">jcmwek3ja0lvdpbwoacpjirv</td>
  </tr>
</tbody></table>

If you have special needs for your session state identifiers, you can implement your own session identifier manager.

But if you want to use cookieless cookies, you only have one way to do it: extend the SessionIDManager class:

public class SessionIdManager : System.Web.SessionState.SessionIDManager
{
    public override string CreateSessionID(System.Web.HttpContext context)
    {
        string id = System.Guid.NewGuid().ToString("B");

        return id;
    }

    public override bool Validate(string id)
    {
        try
        {
            new System.Guid(id);
            return true;
        }
        catch
        {
            return false;
        }
    }
}

and configure the session state module to use it:

<configuration>
  <system.web>
    <sessionState cookieless="UseUri" sessionIDManagerType="SessionIdManager" />
    <pages theme="Default"/>
  </system.web>
</configuration>

And we'll end up with this nice page:

http://localhost/Cookieless/(S(%7b0861e55a-e29b-4b6f-825b-1e1d4c57f095%7d))/default.aspx

Raw URL 
    <td>/Cookieless/(S({0861e55a-e29b-4b6f-825b-1e1d4c57f095}))/default.aspx</td>
  </tr>

  <tr>
    <td>Cookiless Cookies 
      <br />AspFilterSessionId Request HTTP Header</td>

    <td>&#160;</td>
  </tr>

  <tr>
    <td>Session ID</td>

    <td>{0861e55a-e29b-4b6f-825b-1e1d4c57f095}</td>
  </tr>
</tbody></table>

OOPS! What happened here?

Looks like IIS was unable to transfer the cookies to the appropriate HTTP header but ASP.NET was able to find the requested resource. On the other hand, IIS couldn’t find the http://localhost/Cookieless/(S(%7b0861e55a-e29b-4b6f-825b-1e1d4c57f095%7d))App_Themes/Default/Styles.css.

This happens in these environments:

Raw URL 
  <th valign="top">IIS</th>

  <th valign="top">ASP.NET</th>
</tr>

  <td valign="top">5.1</td>

  <td valign="top">2.0 SP1, 3.5</td>
</tr>

<tr>
  <td valign="top">Windows Server 2003 R2</td>

  <td valign="top">6</td>

  <td valign="top">2.0 SP1, 3.5</td>
</tr>

<tr>
  <td valign="top">Windows Server 2008</td>

  <td valign="top">7</td>

  <td valign="top">2.0 SP1, 3.5</td>
</tr>
Operating System
Windows XP Pro SP3

Fortunately, in IIS 7 you can have HTTP modules in integrated pipeline mode that are called for every resource requested to IIS.

Your module doesn’t even need to do nothing. It just needs to exist:

public class Module : System.Web.IHttpModule
{
    public void Dispose()
    {
    }

    public void Init(System.Web.HttpApplication context)
    {
    }
}

and be added to the configuration:

<configuration>
  <system.web>
    <sessionState cookieless="UseUri" sessionIDManagerType="SessionIdManager" />
    <pages theme="Default"/>
  </system.web>
  <system.webServer>
    <modules>
      <add name="Module" preCondition="integratedMode" type="Module" />
    </modules>
  </system.webServer>
</configuration>

And our “pretty” page is back:

    <td style="border-right: black thin solid; border-top: black thin solid; border-left: black thin solid; border-bottom: black thin solid" width="200">/Cookieless/default.aspx</td>
  </tr>

  <tr>
    <td style="border-right: black thin solid; border-top: black thin solid; border-left: black thin solid; border-bottom: black thin solid">Cookiless Cookies 
      <br />AspFilterSessionId Request HTTP Header</td>

    <td style="border-right: black thin solid; border-top: black thin solid; border-left: black thin solid; border-bottom: black thin solid">S({0861e55a-e29b-4b6f-825b-1e1d4c57f095})</td>
  </tr>

  <tr>
    <td style="border-right: black thin solid; border-top: black thin solid; border-left: black thin solid; border-bottom: black thin solid">Session ID</td>

    <td style="border-right: black thin solid; border-top: black thin solid; border-left: black thin solid; border-bottom: black thin solid">{0861e55a-e29b-4b6f-825b-1e1d4c57f095}</td>
  </tr>
</tbody></table>

Is it just me, or there’s something definitely wrong here?

That’s why I opened this bug on Microsoft Connect

3 Comments

Comments have been disabled for this content.

Raw URL