The Dangers of cookieless=”AutoDetect”
July 15th, 2008 | 
Author: One of the cool new features that Microsoft added to ASP.NET in 2.0 is the ability to have cookieless sessions and cookieless authentication. However, before you turn this feature on, you need to know what the consequences will be.
You can either specify cookieless=”true”, cookieless=”AutoDetect” or cookieless=”false”. AutoDetect will cause one 302 request to determine if the browser accepts cookies and another 302 redirect if the browser doesn’t accept cookies so that it can embed the session ID into the URL.
And here is where the trouble begins.
If you want your site to be searched by the search engines, you’ll want to think twice about turning this feature on. This is because when the site is spidered by the search engines, each request will cause a new session id to be created and will therefore cause the site to have multiple pages with the same content. This doesn’t appear to be a problem for some of the more popular search engines, but it is still a problem for spiders in general.
The second problem is a little bit more unique. You see, one of the apps I built stores its images in a database but makes them look like they are real static images. It’s an interesting solution to the problem of needing to be able to upload images to a web farm.
The problem we ran into is that when the organization I wrote this app for sent out newsletters with the image referenced by the newsletter, some of the email clients weren’t seeing it.
Why? Well, it was doing several 302 redirects as it was trying to figure out if the email client accepted cookies and ended up with a URL that no longer looked like an image. Personally, I consider this a bug in the email client. But you can’t tell the client that when regular images work and the database-backed images don’t.
Frankly, I can’t see any good reason for turning this feature on. If you require session variables, you really need to require cookies and be done with it. People so paranoid about security that they’ve completely turned off cookies generally don’t make good customers anyhow. This means that if you are generating revenue based on ad revenue, you either aren’t getting credit for the action they are taking or they aren’t seeing the ad. Either way, you aren’t getting paid. And if you have a site that you are actually selling something of your own on, they probably will never buy. Again, you aren’t getting paid. If you have a site just for the pure joy of having a site, then you probably don’t care who shows up or how much traffic you get. In that case, you can do whatever you want.
So, just leave cookieless=”false” as the default (which it is) and you won’t have any trouble.
Other Related Items:
Floating Leaf and Debris Pond Net - 7 ft. x 10 ft.Protect your fish from predators and keep the autumn leaves out with Supreme Floating Pond Netting. Tough, durable netting floats on surface for easy set up and removal.
MCTS Self-Paced Training Kit (Exam 70-562): Microsoft .NET Framework 3.5-ASP.NET Application Development: Microsoft(r) .Net Framework 3.5 ASP.Net Application Development (Pro - Certification)Ace your preparation for the skills measured by MCTS Exam 70-562âand on the job. Work at your own pace through a series of lessons and reviews... Read More >
Beginner's ASP.NET in C# 2003 on DVDASP.NET 2003 represents an important technology for building enterprise level web applications. Learn the basics of ASP.NET development as you watch a... Read More >
If you're new here, you may want to subscribe to the mailing list to get notifications of new post and a virtual tour of past topics. Thanks for visiting!
Most Commented Post
Posted in none
2 Responses to “The Dangers of cookieless=”AutoDetect””
[...] The Dangers of cookieless="AutoDetect" (Dave M. Bush) [...]
You have expressed yourself with deep sense of reality. me too happened to be tricked by cookieless=”Uri” and malfunctioning led me to accept them.
Thanks
Diego
Italy