cookie disabled but session still work well?

[rgao]

This is an old question about session Vs cookies,in Asp session works base on cookie, cookie keep info of sessionid,if cookie disabled the sessionid will be different in each page( http is stateless protocal),session will not work well. this is what I know.
but there is something weired I delete all cookies and disable all cookies,I put "response.write session.sessionid "in every asp page to display their id,then I access the pages.I was surprised to see every has same session id and session work very well.I was very confused.
if some one know session and cookie well,please give me some suggestion.thanks for any reply.

 

[JoeyFilichia]

Here's the scoop:
An IIS Server holds a session in memory (seperate of a cookie...cookies are generally client-based). In other words, a session is a piece of information held on the server until the user either times out or exits their site. Because of this, the information will always be there, because it's the server's way of "tracking" what each connection is doing.
Easy way to remember this?

Session...information on the server only
Cookie...information on the client only

Hope this helps.
J.

 

[JohnYingling]

IIS does hold session data on the Server Side BUT it MUST write the Session ID to an "In-memory cookie" on the client so that the client can send it back and the server can pick up the correct session data. How else can the client be identified? Not IP address since the a different IP address can be assigned each time by firewalls etc. The difference is that there are two types of cookies, "Disk" and "In-memory (Session Cookies)".

On the Security Tab for IE properties there are options for "Cookies stored on your computer" and "Cookies store in-memory (Session Cookies)". Try disabling both and see what happens.

http://www.VBCompare.com

Compare Code (Text)

http://www.VBSortGen.com

Generate Sort in VB or VBScript

 

[rgao]

Hi,john and joey
Thanks for your reply.my IE version is 6 .In security tab there is no cookie in list.another tab privacy is set up to handle cookie.
I set up it to high level to blook all cookies,but cookie still works and every page got same sessionID.
Any thought?

 

[AncientTiger]

John is right in that the server has to track which clients are which... and to do this the server will try to write a "cookie" into the header of the server's http response. Problem with this is the browser considers it a cookie, even if it's not being written to disk, therefore if the user(s) have all cookies disabled (disk and memory both), your website visitor won't ever see the seemless quality of your session management.

One way I address this in my pages is to have the server check to see if the new visitor's browser has "memory cookies" enabled.
==============================================
Session("test&quot = "ok"
if Session("test&quot = "" then 'Ok, we wrote something, but this browser didn't accept it...cookies MUST be disabled.
'redirect user to the "please enable your memory cookies" page
end if
==============================================

If your site relies HEAVILY on the Session values (*like a shopping cart*), then the visitor will simply HAVE to put away their paranoid feelings toward cookies for a short while and re-enable their cookies (remember, not all surfers are scriptmonkeys, so you'll need to walk them thru step by step on how to enable at least the "memory cookies&quot. If you're just wanting to have a Session variable that remembers the person's first name to diplay something like "Hello John" on each page, then I wouldn't sweat it.