Configure Use URI Cookie Mode for Session State (IIS 7)
Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista
You can configure session state without using cookies. When you use a Uniform Resource Identifier (URI) to handle session state, the session ID is embedded as a query string in the URI request, and then the URI is redirected to the originally requested URL. The changed URI request is used for the duration of the session, so that no cookie is necessary.
When you use a URI, you should require that expired session IDs be regenerated. Doing so enables a Web server to expire and regenerate tokens, which gives a potential attacker less time to capture a cookie and gain access to Web server content.
Using a URI to track session state can help you avoid the disadvantages of cookies, including browser support problems and the possibility that users will disable cookies. However, using a URI has the following disadvantages:
Cannot use absolute URLs without losing session state, which means that if a user goes to another application and then returns to the previous one, the user's input no longer exists on the page.
Does not allow users to bookmark Web pages, because session state is lost.
For information about the levels at which you can perform this procedure, and the modules, handlers, and permissions that are required to perform this procedure, see Session State Feature Requirements (IIS 7).
Exceptions to feature requirements
To configure Use URI cookie mode for session state
You can perform this procedure by using the user interface (UI), by running Appcmd.exe commands in a command-line window, by editing configuration files directly, or by writing WMI scripts.
To Use the UI
Open IIS Manager and navigate to the level you want to manage. For information about opening IIS Manager, see Open IIS Manager (IIS 7). For information about navigating to locations in the UI, see Navigation in IIS Manager (IIS 7).
In Features View, double-click Session State.
On the Session State page, in the Cookie Settings area, select Use URI from the Mode drop-down list.
Check Regenerate expired session ID, and then click Apply in the Actions pane.
To configure URI cookie mode for session state, use the following syntax:
appcmd set config /commit:WEBROOT /section:sessionState /cookieless:UseUri /regenerateExpiredSessionId:True|False
The variable cookieless:UseUri configures IIS 7 to use URI cookie mode for session state. The variable regenerateExpiredSessionId:True|False enables or disables the regeneration of expired session IDs.
When you use Appcmd.exe to configure the <sessionState> element at the global level in IIS 7, you must specify /commit:WEBROOT in the command so that configuration changes are made to the root Web.config file instead of ApplicationHost.config.
For more information about Appcmd.exe, see Appcmd.exe (IIS 7).
The procedure in this topic affects the following configuration elements:
For more information about IIS 7 configuration, see IIS 7.0: IIS Settings Schema on MSDN.
Use the following WMI classes, methods, or properties to perform this procedure:
- SessionStateSection.Cookieless property "UseUri" flag
For more information about WMI and IIS, see Windows Management Instrumentation (WMI) in IIS 7. For more information about the classes, methods, or properties associated with this procedure, see the IIS WMI Provider Reference on the MSDN site.