HttpSessionState.IsCookieless 屬性


取得值,指出工作階段 ID 是否內嵌於 URL 或儲存於 HTTP Cookie。Gets a value indicating whether the session ID is embedded in the URL or stored in an HTTP cookie.

 property bool IsCookieless { bool get(); };
public bool IsCookieless { get; }
member this.IsCookieless : bool
Public ReadOnly Property IsCookieless As Boolean


如果工作階段內嵌於 URL,則為 true,否則為 falsetrue if the session is embedded in the URL; otherwise, false.


下列程式碼範例會在 web.config 檔案中將 cookieless 會話屬性設定為 true。The following code example sets the cookieless session attribute to true in the Web.config file.

      timeout="30" />


ASP.NET 會使用每個瀏覽器來唯一識別會話。ASP.NET identifies sessions uniquely with each browser. 根據預設,會話的唯一識別碼會儲存在瀏覽器中未過期的會話 cookie 中。By default, the unique identifier for a session is stored in a non-expiring session cookie in the browser. 您可以藉由將 cookieless 屬性設定為sessionState configuration 專案中的 true,指定不要將會話識別碼儲存在 cookie 中。You can specify that session identifiers not be stored in a cookie by setting the cookieless attribute to true in the sessionState configuration element.


為了改善應用程式的安全性,您的應用程式應該允許使用者登出,此時應該會呼叫 Abandon 方法。To improve the security of your application, your application should allow users to log out, at which point it should call the Abandon method. 這會使用 URL 中的唯一識別碼來抓取使用者在會話中儲存的私用資料,藉此減少不想要的來源的潛能。This reduces the potential for an unwanted source using the unique identifier in the URL to retrieve private data stored in the session for a user.

ASP.NET 會自動將唯一的會話識別碼插入頁面的 URL 中,以維護無 cookie 的會話狀態。ASP.NET maintains cookieless session state by automatically inserting a unique session ID into the page's URL. 例如,下列 URL 已由 ASP.NET 修改,以包含唯一的會話識別碼 lit3py55t21z5v55vlm25s55:For example, the following URL has been modified by ASP.NET to include the unique session ID lit3py55t21z5v55vlm25s55:

ASP.NET 會在將每個頁面傳送至瀏覽器之前,先在連結中內嵌會話識別碼值,以修改所有要求頁面中包含的連結。ASP.NET modifies the links contained in all requested pages by embedding a session-ID value in the links just before sending each page to the browser. 只要使用者遵循網站提供的連結路徑,就會維護會話狀態。Session state is maintained as long as the user follows the path of links that the site provides. 不過,如果使用者代理程式重寫 URL,會話狀態實例就會遺失。However, if the user agent rewrites a URL, the session-state instance will be lost.

會話識別碼會內嵌在應用程式名稱後面的斜線之後,以及任何剩餘的檔案或虛擬目錄識別碼之前的 URL 中。The session ID is embedded in the URL after the slash that follows the application name and before any remaining file or virtual-directory identifier. 這可讓 ASP.NET 先解析應用程式名稱,然後才涉及要求中的 SessionStateModuleThis allows ASP.NET to resolve the application name before involving the SessionStateModule in the request.

根據預設,會回收在無 cookie 會話中使用的會話識別碼。By default, session identifiers used in cookieless sessions are recycled. 也就是說,如果使用已過期的會話識別碼提出要求,則會使用要求所提供的會話識別碼來啟動新的會話。That is, if a request is made with a session ID that has expired, a new session is started using the session ID supplied with the request. 當包含無 cookie 會話識別碼的連結與多個瀏覽器共用(可能是透過搜尋引擎或其他程式)時,此行為可能會造成不必要的會話資料共用。This behavior can result in the unwanted sharing of session data when a link that contains a cookieless session ID is shared with multiple browsers, perhaps through a search engine or other program. 您可以藉由停用會話識別碼的回收,降低多個用戶端共用會話資料的可能性。You can reduce the possibility of session data being shared by multiple clients by disabling the recycling of session identifiers. 若要這麼做,請將sessionState configuration 專案的 regenerateExpiredSessionId 屬性設定為 trueTo do this, set the regenerateExpiredSessionId attribute of the sessionState configuration element to true. 當使用過期的會話識別碼提出無 cookie 會話要求時,這會產生新的會話識別碼。This will result in a new session ID being generated when a cookieless session request is made with an expired session ID. 請注意,如果以過期的會話識別碼所提出的要求使用 HTTP POST 方法,當 regenerateExpiredSessionId true時,任何張貼的資料都會遺失,因為 ASP.NET 會執行重新導向,以確保瀏覽器在 URL 中有新的會話識別碼。Note that if the request made with the expired session ID uses the HTTP POST method, then any posted data will be lost when regenerateExpiredSessionId is true, as ASP.NET performs a redirect to ensure that the browser has the new session identifier in the URL.


regenerateExpiredSessionId 屬性設為 true 可減少不必要共用會話資料的可能性,但無法防止不想要的來源存取另一位使用者的會話,方法是取得 SessionID 值,並將它包含在對伺服器的要求中。While setting the regenerateExpiredSessionId attribute to true reduces the possibility of unwanted sharing of session data, it does not protect against an unwanted source gaining access to the session of another user by obtaining the SessionID value and including it in requests to the server. 如果您要將私用或機密資訊儲存在會話狀態中,建議您使用 SSL 來加密包含 SessionID的瀏覽器與伺服器之間的任何通訊。If you are storing private or sensitive information in session state, it is recommended that you use SSL to encrypt any communication between the browser and server that includes the SessionID.