The HttpSessionState.SessionID property is used to uniquely identify a browser with session data on the server. The HttpSessionState.SessionID value is randomly generated by ASP.NET and stored in a non-expiring session cookie in the browser. The HttpSessionState.SessionID value is then sent in a cookie with each request to the ASP.NET application.

If you want to disable the use of cookies in your ASP.NET application and still make use of session state, you can configure your application to store the session identifier in the URL instead of a cookie by setting the cookieless attribute of the sessionState configuration element to true, or to System.Web.HttpCookieMode.UseUri, in the Web.config file for your application. You can have ASP.NET determine whether cookies are supported by the browser by specifying a value of System.Web.HttpCookieMode.UseDeviceProfile for the cookieless attribute. You can also have ASP.NET determine whether cookies are enabled for the browser by specifying a value of System.Web.HttpCookieMode.AutoDetect for the cookieless attribute. If cookies are supported when System.Web.HttpCookieMode.UseDeviceProfile is specified, or enabled when System.Web.HttpCookieMode.AutoDetect is specified, then the session identifier will be stored in a cookie; otherwise the session identifier will be stored in the URL. For more information, see the HttpSessionState.IsCookieless property.

The HttpSessionState.SessionID is sent between the server and the browser in clear text, either in a cookie or in the URL. As a result, an unwanted source could gain access to the session of another user by obtaining the HttpSessionState.SessionID value and including it in requests to the server. If you are storing private or sensitive information in session state, it is recommended that you use SSL to encrypt any communication between the browser and server that includes the HttpSessionState.SessionID.

When using cookie-based session state, ASP.NET does not allocate storage for session data until the System.Web.UI.Page.Session object is used. As a result, a new session ID is generated for each page request until the session object is accessed. If your application requires a static session ID for the entire session, you can either implement the Session_Start method in the application's Global.asax file and store data in the System.Web.UI.Page.Session object to fix the session ID, or you can use code in another part of your application to explicitly store data in the System.Web.UI.Page.Session object.

If your application uses cookieless session state, the session ID is generated on the first page view and is maintained for the entire session.

Namespace: System.Web.SessionState
Assembly: System.Web (in System.Web.dll)
Assembly Versions: 1.0.5000.0, 2.0.0.0