SessionStateSection.Cookieless 屬性


取得或設定值,指出是否使用 Cookie 辨認用戶端工作階段。Gets or sets a value indicating whether cookies are used to identify client sessions.

 property System::Web::HttpCookieMode Cookieless { System::Web::HttpCookieMode get(); void set(System::Web::HttpCookieMode value); };
public System.Web.HttpCookieMode Cookieless { get; set; }
member this.Cookieless : System.Web.HttpCookieMode with get, set
Public Property Cookieless As HttpCookieMode



如果所有要求都視為 Cookieless 則為 true;沒有任何要求視為 Cookieless 則為 false;否則為其中一個 HttpCookieMode 值。true if all requests are treated as cookieless, or false if no requests are treated as cookieless, or one of the HttpCookieMode values. ASP.NET 2.0 版中的預設值為 AutoDetectThe default value in ASP.NET version 2.0 is AutoDetect. 舊版中的預設值為 falseIn earlier versions, the default value was false.



下列程式碼範例示範如何取得 Cookieless 屬性。The following code example demonstrates how to get the Cookieless property. 請參閱類別主題中的程式碼範例 SessionStateSection ,以瞭解如何存取 SessionStateSection 物件。Refer to the code example in the SessionStateSection class topic to learn how to access the SessionStateSection object.

// Display the current Cookieless property value.
Console.WriteLine("Cookieless: {0}",
' Display the current Cookieless property value.
Console.WriteLine("Cookieless: {0}", sessionStateSection.Cookieless)


會話狀態有兩種方式可以儲存將用戶端與伺服器會話產生關聯的唯一識別碼:藉由在用戶端上儲存 HTTP cookie,或藉由編碼 URL 中的會話識別碼。There are two ways that session state can store the unique ID that associates the client with a server session: by storing an HTTP cookie on the client or by encoding the session ID in the URL. 將會話識別碼儲存在 cookie 中較安全,但需要用戶端瀏覽器來支援 cookie。Storing the session ID in the cookie is more secure but requires the client browser to support cookies.

對於允許不支援 cookie 的用戶端(例如各種行動裝置)的應用程式,會話識別碼可能會儲存在 URL 中。For applications that allow clients that do not support cookies, such as a variety of mobile devices, the session ID may be stored in the URL. [URL] 選項有幾個缺點。The URL option has several drawbacks. 網站上的連結必須是相對的,而且頁面會在會話開頭以新的查詢字串值來重新導向,而且它會在查詢字串中直接公開會話識別碼,以便在安全性攻擊中使用。It requires that the links on the site be relative and that the page be redirected at the beginning of the session with new query-string values, and it exposes the session ID right in the query string, where it can be picked up for use in a security attack.

只有當您需要支援缺少 cookie 支援的用戶端時,才建議使用無 cookie 模式。You are encouraged to use the cookieless mode only if you need to support clients that lack cookie support.

會話狀態也支援其他兩個選項: UseDeviceProfileAutoDetectSession state also supports two additional options: UseDeviceProfile and AutoDetect. 前者可讓會話狀態模組根據瀏覽器功能,判斷根據每個用戶端使用的 (cookie 或無 cookie) 模式。The former enables the session-state module to determine what mode (cookie or cookieless) is used on a per-client basis based on the browser capabilities. AutoDetect選項會執行與瀏覽器的交握,以確認是否可以儲存 cookie,因此需要額外的要求來進行判斷。The AutoDetect option performs a handshake with the browser to verify whether a cookie may be stored, and therefore requires an additional request to make the determination. 如果您需要支援無 cookie 的用戶端,請考慮使用, UseDeviceProfile 只為需要的用戶端產生無 cookie 的 url。If you need to support cookieless clients, strongly consider using UseDeviceProfile to generate cookieless URLs only for clients that require them.


加上。瀏覽器4.1 或更新的。瀏覽器3.2, Redirect SupportsRedirectWithCookie HttpBrowserCapabilities false 除非 Cookieless Web.config 的區段中的屬性已 SessionState 明確設定為,否則一律會如同物件的屬性值為 trueWith UP.Browser 4.1 or UP.Browser 3.2, Redirect always behaves as if the value of the SupportsRedirectWithCookie property of the HttpBrowserCapabilities object is false, unless the Cookieless property in the SessionState section of Web.config has been explicitly set to true.

在 ASP.NET 版本1.1 中,這項設定的選項是 truefalse ,但使用 ASP.NET 2.0 時,選項會展開,而 AutoDetect 現在是預設設定。In ASP.NET version 1.1, the options for this setting were true or false, but with ASP.NET 2.0, the choices are expanded, and AutoDetect is now the default setting. 如果您的 Web 應用程式將 Cookieless 屬性設定為布林值,則 Redirect 這些瀏覽器應該會如預期般運作。If your Web application has the Cookieless property set to a Boolean value, then Redirect should work as expected for these browsers.