HttpSessionState.IsCookieless 属性

定义

获取一个值,该值指示会话 ID 是嵌入在 URL 中还是存储在 HTTP Cookie 中。Gets a value indicating whether the session ID is embedded in the URL or stored in an HTTP cookie.

public:
 property bool IsCookieless { bool get(); };
public bool IsCookieless { get; }
member this.IsCookieless : bool
Public ReadOnly Property IsCookieless As Boolean

属性值

如果会话嵌入在 URL 中,则为 true;否则,为 falsetrue if the session is embedded in the URL; otherwise, false.

示例

下面的代码示例在 web.config cookieless文件中将 session 特性设置为 true。The following code example sets the cookieless session attribute to true in the Web.config file.

<configuration>  
  <system.web>  
    <sessionState   
      mode="InProc"  
      cookieless="true"  
      regenerateExpiredSessionId="true"  
      timeout="30" />  
  </system.web>  
</configuration>  

注解

ASP.NET 通过每个浏览器唯一识别会话。ASP.NET identifies sessions uniquely with each browser. 默认情况下, 会话的唯一标识符存储在浏览器中未过期的会话 cookie 中。By default, the unique identifier for a session is stored in a non-expiring session cookie in the browser. 可以通过在cookieless sessionState配置元素中将属性设置为true , 来指定不在 cookie 中存储会话标识符。You can specify that session identifiers not be stored in a cookie by setting the cookieless attribute to true in the sessionState configuration element.

备注

若要提高应用程序的安全性, 你的应用程序应允许用户注销, 此时应调用Abandon方法。To improve the security of your application, your application should allow users to log out, at which point it should call the Abandon method. 这将使用 URL 中的唯一标识符检索存储在用户的会话中的专用数据, 从而减少不需要的源的潜在原因。This reduces the potential for an unwanted source using the unique identifier in the URL to retrieve private data stored in the session for a user.

ASP.NET 通过自动将唯一会话 ID 插入页面的 URL 来维护无 cookie 会话状态。ASP.NET maintains cookieless session state by automatically inserting a unique session ID into the page's URL. 例如, ASP.NET 修改了以下 URL 以包含唯一的会话 ID lit3py55t21z5v55vlm25s55:For example, the following URL has been modified by ASP.NET to include the unique session ID lit3py55t21z5v55vlm25s55:

http://www.example.com/(S(4danlfat035muve4g0mvgfrr))/orderform.aspx  

ASP.NET 在将每个页面发送到浏览器之前, 通过将会话 ID 值嵌入到浏览器中来修改所有请求的页面中包含的链接。ASP.NET modifies the links contained in all requested pages by embedding a session-ID value in the links just before sending each page to the browser. 只要用户遵循站点提供的链接路径, 就会保持会话状态。Session state is maintained as long as the user follows the path of links that the site provides. 但是, 如果用户代理重写 URL, 则会话状态实例将丢失。However, if the user agent rewrites a URL, the session-state instance will be lost.

会话 ID 嵌入在 URL 中应用程序名称后、任何剩余文件或虚拟目录标识符之前的斜杠之后。The session ID is embedded in the URL after the slash that follows the application name and before any remaining file or virtual-directory identifier. 这允许 ASP.NET 解析应用程序名称, 然后SessionStateModule在请求中涉及。This allows ASP.NET to resolve the application name before involving the SessionStateModule in the request.

默认情况下, 将回收无 cookie 会话中使用的会话标识符。By default, session identifiers used in cookieless sessions are recycled. 也就是说, 如果使用已过期的会话 ID 发出请求, 将使用随请求提供的会话 ID 启动一个新会话。That is, if a request is made with a session ID that has expired, a new session is started using the session ID supplied with the request. 当包含无 cookie 会话 ID 的链接共享多个浏览器 (可能通过搜索引擎或其他程序) 时, 此行为可能导致不必要的会话数据共享。This behavior can result in the unwanted sharing of session data when a link that contains a cookieless session ID is shared with multiple browsers, perhaps through a search engine or other program. 可以通过禁用会话标识符回收来减少多个客户端共享会话数据的可能性。You can reduce the possibility of session data being shared by multiple clients by disabling the recycling of session identifiers. 为此, 请将regenerateExpiredSessionId sessionState配置元素的属性设置为trueTo do this, set the regenerateExpiredSessionId attribute of the sessionState configuration element to true. 当使用过期的会话 ID 发出无 cookie 会话请求时, 这将导致生成新的会话 ID。This will result in a new session ID being generated when a cookieless session request is made with an expired session ID. 请注意, 如果使用过期的会话 ID 发出的请求使用 HTTP POST方法, 则当regenerateExpiredSessionIdtrue时, 任何已发布的数据都将丢失, 因为 ASP.NET 会执行重定向以确保浏览器在 URL 中具有新的会话标识符。Note that if the request made with the expired session ID uses the HTTP POST method, then any posted data will be lost when regenerateExpiredSessionId is true, as ASP.NET performs a redirect to ensure that the browser has the new session identifier in the URL.

备注

设置regenerateExpiredSessionId属性以true降低会话数据的不需要共享的可能性, 而不能防止不需要的源通过获取SessionID值和将其包含在向服务器发出的请求中。While setting the regenerateExpiredSessionId attribute to true reduces the possibility of unwanted sharing of session data, it does not protect against an unwanted source gaining access to the session of another user by obtaining the SessionID value and including it in requests to the server. 如果在会话状态中存储私有或敏感信息, 则建议使用 SSL 对浏览器和包含的SessionID服务器之间的任何通信进行加密。If you are storing private or sensitive information in session state, it is recommended that you use SSL to encrypt any communication between the browser and server that includes the SessionID.

适用于

另请参阅