Found applying httponly in config file does not work for IIS 6.0. Added code in Gloabal.asax ApplicationEndRequest to append HttpOnly to all response cookies, but still ASPSESSIONID is not getting HttpOnly tag. asp.net asp.net-4.0 | this question edited Aug 12 13 at 5:59 asked Jul 31 13 at 10:01 Bhupendra Shukla 2,645 5 29 51.Your session is identified by a cookie, so youre right that cookies should be enabled for the default session implementation, but you can do a cookie-less session. ASP.NET sessions are stored on the web server and no cookies whatsoever are used for this. ASP.NET if configured to use session with webconfig->session state: then we can configure it as either stateconnection or as sqlconnection. ASP.NET server fails to track the session information. Then cookieless sessions are the best option.So, how it is tracking session information without cookies? Where is ASP. NET storing the session ID when cookies are not being used? 1. PRESENTATION ON COOKIE AND SESSION MANAGEMENT IN ASP .NET Submitted To: Rachana Kamaliya Prepared By: Kumbhani Minaxi Limbasiya Jignasha 2. INDEX Introduction 29. So if IIS restarts environment thus ASP.NET session ASP session variables are also can maintained even if IIS reboots. recycled. 3 Cookie dependency: Cookie dependency: In ASP, the session is Cookie As ASP.
NET supports Cookieless dependent i.e ASP session only session, so the Introduction. We use Session in ASP.NET application to maintain the state of the user.