Cookie-less Session in ASP.NET


We use Session in ASP.NET application to maintain the state of the user. These Sessions too use Cookies in the background to associate Sessions with the correct user. But if a user has turned off his browser's cookies then our application will not work on these browsers. For this situation we use Cookie-less Sessions. In Cookie-less Sessions, the values that are required to associate users with their sessions are appended to the browser's URL.


As we know HTTP is a stateless protocol and every request to a web page is treated as a new request. Session is a way of maintaining the state of a page. A session stores user specific data that persists across multiple page requests. We can store any type of object in a session.


  1. Session.Add("Name", txtName.Text);   
  2. Session["Name"] = " txtName.Text;  
Here, both statements can be used to store a value of the "txtName" TextBox in Session.

Similarly, we can also add any other object in the session, like a DataSet.
  1. SqlConnection con = new SqlConnection(ConString);  
  2. SqlCommand cmd = new SqlCommand("SELECT * FROM Employee", con);  
  3. SqlDataAdapter sda = new SqlDataAdapter(cmd);  
  4. DataSet ds = new DataSet();  
  5. sda.Fill(ds);  
To retrieve the session value, we can use the following code:
  1. if (Session["Name"] != null)  
  2. {  
  3.     txtName.Text = Session["Name"].ToString();                  
  4. }
First, we check if a session with name "Name" exists. Then we put the session vaule in the TextBox.

How to Cookie-less Session

By default a session uses a cookie in the background. To enable a cookie-less session, we need to change some configuration in the Web.Config file. Follow these steps:
  1. Open Web.Config file
  2. Add a <sessionState> tag under <system.web> tag
  3. Add an attribute "cookieless" in the <sessionState> tag and set its value to "AutoDetect" like below:
    1. <sessionState cookieless="AutoDetect" regenerateExpiredSessionId="true"/>

The possible values for "cookieless" attribute are:

  • AutoDetect : Session uses background cookie if cookies are enabled. If cookies are disabled, then the URL is used to store session information.
  • UseCookie: Session always use background cookie. This is default.
  • UseDeviceProfile: Session uses background cookie if browser supports cookies else URL is used.
  • UseUri: Session always use URL.

"regenerateExpiredSessionId" is used to ensure that if a cookieless url is expired a new new url is created with a new session. And if the same cookieless url is being used by multiple users an the same time, they all get a new regenerated session url.

We have configured our "Web.config" file to enable cookieless session. Now, its time to test it.

Open Mozilla Firefox and Click on (Tools -> Options -> Pricacy)

Now on History group box select (Firefox will : Use custom settings for history)

Now uncheck (Accept cookeies from sites)


You will get an URL something like this: