By default a session uses a cookie in the background. To enable a cookie-less session, we need to change some configuration in the Web.Config file. Follow these steps,
- Open Web.Config file.
- Add a <sessionState> tag under <system.web> tag.
- Add an attribute "cookieless" in the <sessionState> tag and set its value to "AutoDetect" like below:
- <sessionState cookieless="AutoDetect" regenerateExpiredSessionId="true"/>
The possible values for "cookieless" attribute are,
- AutoDetect: Session uses background cookie if cookies are enabled. If cookies are disabled, then the URL is used to store session information.
- UseCookie: Session always use background cookie. This is default.
- UseDeviceProfile: Session uses background cookie if browser supports cookies else URL is used.
- UseUri: Session always use URL.
"regenerateExpiredSessionId" is used to ensure that if a cookieless url is expired a new new url is created with a new session. And if the same cookieless url is being used by multiple users an the same time, they all get a new regenerated session url.