HttpSessionState.SessionID 属性


获取会话的唯一标识符。Gets the unique identifier for the session.

 property System::String ^ SessionID { System::String ^ get(); };
public string SessionID { get; }
member this.SessionID : string
Public ReadOnly Property SessionID As String


唯一会话标识符。The unique session identifier.


下面的代码示例演示一个 web.config 文件, 该文件将会话状态配置为使用无 cookie 会话标识符。The following code example shows a Web.config file that configures session state to use cookieless session identifiers. 有关更多信息,请参见 IsCookieless 属性。For more information, see the IsCookieless property.

      timeout="30" />  


SessionID属性用于唯一标识具有服务器上的会话数据的浏览器。The SessionID property is used to uniquely identify a browser with session data on the server. SessionID该值由 ASP.NET 随机生成, 并存储在浏览器中未过期的会话 cookie 中。The SessionID value is randomly generated by ASP.NET and stored in a non-expiring session cookie in the browser. 然后SessionID , 将使用每个请求向 ASP.NET 应用程序发送一个 cookie 中的值。The SessionID value is then sent in a cookie with each request to the ASP.NET application.

如果要禁止在 ASP.NET 应用程序中使用 cookie 并仍使用会话状态, 则可以通过设置cookieless sessionState 的属性, 将应用程序配置为在 URL 而不是 cookie 中存储会话标识符。应用程序的trueweb.config 文件中UseUri的配置元素, 或设置为。If you want to disable the use of cookies in your ASP.NET application and still make use of session state, you can configure your application to store the session identifier in the URL instead of a cookie by setting the cookieless attribute of the sessionState configuration element to true, or to UseUri, in the Web.config file for your application. 可以通过将UseDeviceProfile cookieless属性的值指定为 ASP.NET 来确定浏览器是否支持 cookie。You can have ASP.NET determine whether cookies are supported by the browser by specifying a value of UseDeviceProfile for the cookieless attribute. 还可以让 ASP.NET 通过AutoDetect cookieless为属性指定值来确定是否为浏览器启用了 cookie。You can also have ASP.NET determine whether cookies are enabled for the browser by specifying a value of AutoDetect for the cookieless attribute. 如果在指定时支持UseDeviceProfile cookie, 或在指定时AutoDetect启用了, 则会话标识符将存储在 cookie 中; 否则, 会话标识符将存储在 URL 中。If cookies are supported when UseDeviceProfile is specified, or enabled when AutoDetect is specified, then the session identifier will be stored in a cookie; otherwise the session identifier will be stored in the URL. 有关更多信息,请参见 IsCookieless 属性。For more information, see the IsCookieless property.

SessionID在服务器和浏览器之间以明文形式发送, 无论是在 cookie 中还是在 URL 中。The SessionID is sent between the server and the browser in clear text, either in a cookie or in the URL. 因此, 不需要的源可以通过获取SessionID值并将其包含在对服务器的请求中来访问其他用户会话。As a result, an unwanted source could gain access to the session of another user by obtaining the SessionID value and including it in requests to the server. 如果在会话状态中存储私有或敏感信息, 则建议使用 SSL 对浏览器和包含的SessionID服务器之间的任何通信进行加密。If you are storing private or sensitive information in session state, it is recommended that you use SSL to encrypt any communication between the browser and server that includes the SessionID.

使用基于 cookie 的会话状态时, 在使用Session对象之前, ASP.NET 不会为会话数据分配存储空间。When using cookie-based session state, ASP.NET does not allocate storage for session data until the Session object is used. 因此, 在访问 session 对象之前, 会为每个页面请求生成新的会话 ID。As a result, a new session ID is generated for each page request until the session object is accessed. 如果你的应用程序需要整个会话的静态会话 ID, 则可以在应用程序Session_Start的 global.asax 文件中实现该方法, 并将数据存储Session在对象中以修复会话 ID, 或者可以使用另一部分中的代码应用程序, 用于在Session对象中显式存储数据。If your application requires a static session ID for the entire session, you can either implement the Session_Start method in the application's Global.asax file and store data in the Session object to fix the session ID, or you can use code in another part of your application to explicitly store data in the Session object.

如果应用程序使用无 cookie 会话状态, 则将在第一个页面视图上生成会话 ID, 并为整个会话维护该会话 ID。If your application uses cookieless session state, the session ID is generated on the first page view and is maintained for the entire session.