Cookieless session from URL to QueryString - asp.net

We're currently having an issue with cookieless sessions in ASP.NET, according to the documentation on MSDN here when you use AutoDetect:
ASP.NET determines whether the requesting browser or device supports cookies. If the requesting browser or device supports cookies, AutoDetect uses cookies to persist user data; otherwise, an identifier is used in the query string. If the browser or device supports cookies, but cookies are currently disabled, cookies are still used by the requesting feature.
Notice the query string part! Now if it were indeed added to the URL like &sessionId=yoursessionidhere it's all fine but actually what I get are URLs like this: http://yourserver/folder/(session ID here)/default.aspx.
So my question is: How would I configure ASP.NET to use the querystring (as it claims) instead of this URL defacing method?
UPDATE:
I'm adding the config value we use in our web.config:
<sessionState mode="StateServer" stateConnectionString="tcpip=127.0.0.1:42424" cookieless="AutoDetect" timeout="20" />

Reading this resource here http://forums.asp.net/t/1480365.aspx/1 do you have the cookieless="UseUri" setting in the web.config - try deleting that from what I gather it may help! Do let me know!
Additionally it would probably be worth posting your config block in the question.
Ive done some more digging and found this post which covers the request handling in the source code for MVC - using the session id in the URL for routing looks to be baked in pretty deep - see the excepted answer code blocks Possible Bug With ASP.NET MVC 3 Routing?
I'll keep looking for you but this one has me stumped! I think you need to get this question in front of someone like Hanselmann, Haack or Skeet.

Related

Why do all ASP.NET MVC websites allow and ignore the string "/(F())/" in front of ANY URL?

I noticed that requests to my ASP.NET web app succeed even if I prefix the URL with /(F())/ which is nonsense. The usual action method is hit. Request.Url does not show the URL prefix. So if I request /(F())/x the action sees Request.Url == "/x"
I then tried other ASP.NET MVC sites such as Stack Overflow:
https://stackoverflow.com/(F())/questions/43593952/why-do-all-asp-net-mvc-websites-allow-and-ignore-the-string-f-in-front-o
According to Fiddler the request is being made as intended:
As you can see the request URL is correct and the server replies without redirect with the full content. The browser window shows that URL as well.
This URL does work. So I conclude that something in the framework causes this request to be rewritten and the prefix dropped. It looks like the Stack Overflow application was unaware of the prefix.
The same result occurs in a fresh MVC app created in Visual Studio 2017 on .NET 4.6.2 on Windows 7.
Another funny victim: https://www.microsoft.com/(F(blah))/en-us/default.aspx (The Microsoft homepage).
The string (F()) is not special. See the comments for other strings that work e.g. /(F(pV0)).
Since my ASP.NET code is blind to the original URL (Request.Url does not contain the prefix) I seemingly cannot even detect this condition and fail the request.
I have not confirmed that this is an MVC problem. It seems hard to find the culprit in the huge sea of functionality that ASP.NET+IIS ship with. Who knows what features are turned on by default?! I don't think anyone really knows :)
At the very least this is an SEO problem but I find it disturbing as well to not know what's going on. That's why I'm investigating. What behavior is that and how to get rid of it?
This is caused by the ASP.NET cookieless feature set. The URL may now look like this:
http://example.com/MyWebApplication/(A(XXXX)S(XXXX)F(XXXX))/home.aspx
Breaking it down:
A(XXXX): This is the Anonymous-ID. It is used to identify the (anonymous) user accessing your application. The string may or may-not be encrypted, depending on your configuration settings in the section.
S(XXXX): This is the Session-ID (same as V1.1).
F(XXXX): This is the Forms Authentication ticket.
Since cookieless mode is entirely obsolete, causes SEO problems and confusion I recommend to disable all possible cookieless features on all ASP.NET websites immediately.
For each of the above features (Forms Authentication, Anonymous Identification, and Session State), you can control if and when the cookiesless feature will be used, and when the cookieless feature will be used instead. The configuration setting controlling this is:
cookieless="UseCookies | UseUri | UseDeviceProfile | AutoDetect"
In my case I set:
<anonymousIdentification enabled="false" />
<sessionState ... cookieless="UseCookies" />
You will need to adapt this to your needs.
This hopefully addresses the generation of these URLs but seemingly it does not prevent the framework from (silently) accepting such a URL. The documentation claims that a header AspFilterSessionId will be present but I found that not to be the case.
For now I have no solution for blocking requests to these unwanted URLs.

Changing aspx website urls

I have a web site. URLs com/default.aspx form should appear. But when I click on the URL (com/(S (the hito5tqogutqn21tcn2mozjrr))/default.aspx) as it seems. How do I fix it. URLs with a random number itself is changing.
Check this: https://msdn.microsoft.com/en-us/library/aa479314.aspx
This is happening probably because (unless, you have specified explicitly to use the uri for session id management, which I think, is not the case) the browser does not allow cookies (either for your web site or for all) and Asp.Net detects this and appends the session id to the uri because otherwise your site would not be able to support sessions.
In fact, this is the most secure approach, allowing session state to be available even if the user had disabled cookies.
You can change this behaviour by specifying the following in your web.config file:
<system.web>
<sessionState cookieless="UseCookies" />
</system.web>
After that, you will not see the session Id in the Uri, but users whose browsers do not accept cookies from your web site will not be able to have a session state.
At this point, defining a privacy policy for your web site might help your cookies to be accepted by the browsers:
https://msdn.microsoft.com/en-us/library/ms178194.aspx

ASP MVC - Bunch of random characters in POST request route string

I am trying to log in to my own application, and i have discovered something strange. When I am sending a POST request to a login controller, it somehow redirects itself to a GET login controller, and displays login form with an action set to http://localhost:5898/(X(1)S(1tgv3m2psb2cxqaw4koiyhyt))/Account/Login. Now what the hell is this (X(1)S(1tgv3m2psb2cxqaw4koiyhyt)) thing? Why is it there, and what does it do? And on top of that, how do i get rid of it? I do not want it in there...
It appears that you have set the session provider in your web.config (or on IIS) to use a Cookieless session state. This is the session identifier for your session.
http://msdn.microsoft.com/en-us/library/aa479314.aspx#cookieless_topic2
To get rid of it, you would need to change your sessionState element in your web.config to cookieless="false"
SessionState Web.Config element information
Those things are seen in asp.net when you disable cookie in your browser or your application settings. that is cookieless asp.net. you can start debugging your app from there.
hope it helps

url shows weird string

I'm testing my asp.net website on my local server (Windows Server 2008, IIS 7.0.6), and when I type in just the IP address in my browser, e.g.,
192.168.0.5
it comes back like this:
http://192.168.0.5/(S(u0nmzwxobbwpuk1mtvuybwn0))/default.aspx
The weird stuff between .0.5/ and /default.aspx changes every time I type in the ip and hit enter.
The content shows up correctly, but obviously there's a problem with the url.
Sounds like you might be using cookieless sessions.
Basically ASP.NET is storing your session id in the query string instead of storing it in a cookie. Looks gross, but allows you to use session state when someone does not accept cookies. You can read more here.
Guessing here - in your web.config file, you have set the sessionState cookieless attribute to UseUri or to true.
See the documentation on the sessionState element.
Seems like you Have Cookieless Sessions enabled. Below article illustrates the behavior:
MSDN - Cookie Less Sessions in ASP.NET
Changing the Setting in Web.Config can change the behavior:
<sessionState cookieless="true" />

Remove Cookie Support

My site has the following url format: www.mysite.com/Display.aspx?ID=128
However most users see the url as
www.mysite.com/Display.aspx?ID=128&AspxAutoDetectCookieSupport=1
How can I avoid &AspxAutoDetectCookieSupport=1 from appearing in the url.
Is it to do something with cookie in web.config, but where? And what would be the implications if I remove that. How to remove?
Session State and Forms Authentication can both be set up in the web.config file to operate without cookies - this is called "cookieless configuration". When this happens, ASP.Net can be set to try to compensate for lack of cookies by using the query string as a cookie substitute. This is what is causing your unwanted querystring parameters.
You should look in your web.config for "cookieless = AutoDetect" or "cookieless = UseUri".
Changing the setting to "cookieless = UseCookies" will ensure that the cookieless feature will not be used, and hence it won't be appending the AspxAutoDetectCookieSupport to your URL.
The implications of this is that users who browse with cookies turned off will not be able to have Session data or use Forms Authentication. This may or may not affect your target audience, you'll have to judge that for yourself.
Edit: Here's the MSDN link for the cookieless feature: http://msdn.microsoft.com/en-us/library/aa479315.aspx

Resources