The Dangers of cookieless=”AutoDetect”

One of the cool new features that Microsoft added to ASP.NET in 2.0 is the ability to have cookieless sessions and cookieless authentication. However, before you turn this feature on, you need to know what the consequences will be.

You can either specify cookieless=”true”, cookieless=”AutoDetect” or cookieless=”false”. AutoDetect will cause one 302 request to determine if the browser accepts cookies and another 302 redirect if the browser doesn’t accept cookies so that it can embed the session ID into the URL.

And here is where the trouble begins.

If you want your site to be searched by the search engines, you’ll want to think twice about turning this feature on. This is because when the site is spidered by the search engines, each request will cause a new session id to be created and will therefore cause the site to have multiple pages with the same content. This doesn’t appear to be a problem for some of the more popular search engines, but it is still a problem for spiders in general.

The second problem is a little bit more unique. You see, one of the apps I built stores its images in a database but makes them look like they are real static images. It’s an interesting solution to the problem of needing to be able to upload images to a web farm.

The problem we ran into is that when the organization I wrote this app for sent out newsletters with the image referenced by the newsletter, some of the email clients weren’t seeing it.

Why? Well, it was doing several 302 redirects as it was trying to figure out if the email client accepted cookies and ended up with a URL that no longer looked like an image. Personally, I consider this a bug in the email client. But you can’t tell the client that when regular images work and the database-backed images don’t.

Frankly, I can’t see any good reason for turning this feature on. If you require session variables, you really need to require cookies and be done with it. People so paranoid about security that they’ve completely turned off cookies generally don’t make good customers anyhow. This means that if you are generating revenue based on ad revenue, you either aren’t getting credit for the action they are taking or they aren’t seeing the ad. Either way, you aren’t getting paid. And if you have a site that you are actually selling something of your own on, they probably will never buy. Again, you aren’t getting paid. If you have a site just for the pure joy of having a site, then you probably don’t care who shows up or how much traffic you get. In that case, you can do whatever you want.

So, just leave cookieless=”false” as the default (which it is) and you won’t have any trouble.

Most Commented Post

2 Responses to “The Dangers of cookieless=”AutoDetect””

Leave a Reply

Comment Policy:

  • You must verify your comment by responding to the automated email that is sent to your email address. Unverified comments will never show.Leave a good comment that adds to the conversation and I'll leave your link in.
  • Leave me pure spam and I'll delete it.
  • Leave a general comment and I'll remove the link but keep the comment.

Notify me of followup comments via e-mail

Bear