For one of our ASP.Net websites, we have been using the Cookies mode to “AutoDetect” (by adding cookieless=”AutoDetect” in sessionState tag in web.config). This has worked well for years in serving the website correctly to users with all types of securities (even who don’t allow the web cookies).
When the cookies are disabled by the user security policies, then ASP.Net auto detect this and adds the session info in the URL of the each request, something like::
The cryptic path “(X(1)S(cp53yq30mtagv555unhr0t45))” in the URL is actually used to indicate the session ID. ASP.Net auto manage the addition and removal of this session info, and in the ASP.Net codebehind, you don’t need to worry about this. Even you don’t get this URL with session info with Request.URL or any other property.
The only limitation is that this breaks when you try to redirect from ASP.Net to an absolute URL e.g. “/system/index.asp”. We normally don’t use any absolute URL in our application, but there are few places where the absolute path is used (mostly to handle protocol changes), and we discovered that it was causing mysterious automatic log-out for some users (which were not allowing cookies).
The fix, fortunately, was very simple. The ASP.Net naively provides a method which add the current session ID to the URL if using the Cookieless mode. The method is HttpResponse.ApplyAppPathModifier and you can apply this by simply calling and passing required absolute URL:
string redirectUrl = Response.ApplyAppPathModifier("/system/index.aspx")
The beauty of this method is that it auto detects the session mode and only appends session info, if required. If want to know more about Cookieless session in general, I would suggestion this MSDN article: