Using cookieless sessionState in ASP.Net

If your ASP.Net application is storing sessionState data and you want to avoid using cookies, this can be achieved by simply setting the sessionState cookieless parameter to “true”. This will create a unique id for the sessionState and ammend any application URLs by adding this id to them.

For example, if the URL of your application homepage normally looks like this


Cookieless sessionState would ammend the URL to read:


Setting this up is simple. It is merely a case of changing the cookieless value of the sessionState entry in the Web.config file of your application, like so:

     <sessionState mode="InProc" timeout="60" cookieless="true" />

The example above uses the InProcess sessionState mode (which ASP uses by default for performance), sets a session timeout of 60 minutes and enables cookieless sessionState. The beauty of this built in feature means that ASP.Net handles all sessionState cookieless features for you. All URLs in your application will be ammended with this sessionState ticket and sent with the queryString at every postback to the server – no other coding is required.

Please note that the state will be lost if the user url-rewrites any of the links within your application, but so long as the user keeps to the links within your site then state will be maintained and any data you have stored in the way of session variables, for example, will be available to the application.