session in asp.net c# like php session

Question

User414662344 posted

Is there any sessions in asp.net c# like PHP.I mean which is not store session-id in client machine and also session id not show in URL like cookie less session.I dont want to use cookie less session in my application.I want sessions like PHP which is not store session id in client machine and also not show session id in URL is there any way?

Answer 1

User527778624 posted

Hi,

I want sessions like PHP which is not store session id in client machine and also not show session id in URL is there any way?

Are u sure PHP offers detecting a user without session Id from client request?

can u post a link which says so, because just seen "sessions in PHP" which uses Id (user key):

http://www.w3schools.com/php/php_sessions.asp

Answer 2

User1918509225 posted

Hi waqasAli786,

SessionID values are sent in clear text, whether as a cookie or as part of the URL. A malicious user could get access to the session of another user by obtaining the SessionID value and including it in requests to the server.

If you are storing sensitive information in session state, it is recommended that you use SSL to encrypt any communication between the browser and server that includes the SessionID value.

In asp.net , the SessionID value is stored in a non-expiring session cookie in the browser. However, you can specify that session identifiers should not be stored in a cookie by setting the cookieless attribute to true in the sessionState section of the Web.config file.

For more information about how to use session in asp.net ,please refer to the link below:
http://msdn.microsoft.com/en-us/library/ms178581(v=vs.100).aspx

Best Regards,

Kevin Shen.

Answer 3

User281315223 posted

I'm assuming that you are referring to User Sessions and not the actual SessionState (e.g. using the Session as a form of storage at the user-level).

There are multiple approaches for handling Sessions within ASP.NET that I am sure you would find would be comparable to any PHP-related approaches. Generally, Forms Authentication (using Cookies) is going to be the most popular which will store a cookie on the user's browser for the duration of their Session (it will not appear within the URL). Cookieless sessions however will generally store an authentication token within the URL and pass it along during the Session.

You could actually use the other form of Session that I previously mentioned (the SessionState) and store a value that will be stored solely on the server (and will not be able to be accessed through the client nor will it be stored in the URL). The only issue with this approach is that the Session is extremely volatile and various processes can erase it (forcing the user to reauthenticate) such as IIS / Web Server restarts, major exceptions, etc : 

// When the user "logs-in", store their information in the Session
Session["User"] = yourUserName;

So whenever you needed to access the value, you could just access it via the Session or check if the value exists to determine if a user is authenticated within each of your areas.

Answer 4

User753101303 posted

Hi,

I don't see how PHP could find out the correct session for the HTTP request if this information doesn't come from the client side. Are you 100% sure it has some magic mechanism to do do? Keep in mind that regardless of the server side technology you have to deal with how the web works and that all clients are equal...

Edit; according to http://php.net/manual/en/session.idpassing.php it seems to work the same way that is either by passing the sesson id as part of the url or as a cookie...