The Dangers of cookieless=”AutoDetect”

One of the cool new features that Microsoft added to ASP.NET in 2.0 is the ability to have cookieless sessions and cookieless authentication. However, before you turn this feature on, you need to know what the consequences will be.

You can either specify cookieless=”true”, cookieless=”AutoDetect” or cookieless=”false”. AutoDetect will cause one 302 request to determine if the browser accepts cookies and another 302 redirect if the browser doesn’t accept cookies so that it can embed the session ID into the URL.

And here is where the trouble begins.

If you want your site to be searched by the search engines, you’ll want to think twice about turning this feature on. This is because when the site is spidered by the search engines, each request will cause a new session id to be created and will therefore cause the site to have multiple pages with the same content. This doesn’t appear to be a problem for some of the more popular search engines, but it is still a problem for spiders in general.

The second problem is a little bit more unique. You see, one of the apps I built stores its images in a database but makes them look like they are real static images. It’s an interesting solution to the problem of needing to be able to upload images to a web farm.

The problem we ran into is that when the organization I wrote this app for sent out newsletters with the image referenced by the newsletter, some of the email clients weren’t seeing it.

Why? Well, it was doing several 302 redirects as it was trying to figure out if the email client accepted cookies and ended up with a URL that no longer looked like an image. Personally, I consider this a bug in the email client. But you can’t tell the client that when regular images work and the database-backed images don’t.

Frankly, I can’t see any good reason for turning this feature on. If you require session variables, you really need to require cookies and be done with it. People so paranoid about security that they’ve completely turned off cookies generally don’t make good customers anyhow. This means that if you are generating revenue based on ad revenue, you either aren’t getting credit for the action they are taking or they aren’t seeing the ad. Either way, you aren’t getting paid. And if you have a site that you are actually selling something of your own on, they probably will never buy. Again, you aren’t getting paid. If you have a site just for the pure joy of having a site, then you probably don’t care who shows up or how much traffic you get. In that case, you can do whatever you want.

So, just leave cookieless=”false” as the default (which it is) and you won’t have any trouble.

Related Post

  • ASP.NET Session Variables Not StickingASP.NET Session Variables Not Sticking I’ve stumbled across this problem twice in the last couple of months so I figure it is about time I blogged about it. The situation is that you have  a page on your web site that sets a sessi...
  • .NET Image Scaling in CSharp.NET Image Scaling in CSharp One feature of .NET that I use regularly is image scaling.  I typically use this on web sites that need image upload capabilities.  I assume the user is going to send me an image that is...
  • Virtual Files using HttpContext.RewritePath()Virtual Files using HttpContext.RewritePath() One of the cool new tricks we are able to perform in ASP.NET that we were not able to use in ASP is the ability to have ASP.NET redirect file requests in the same way that mod_rewrite does under th...
  • The case of the disappearing session variablesThe case of the disappearing session variables Way back in ASP.NET version 1.1, I wrote one of my first asp.net web sites for a client that depended pretty heavily on session variables.  Without getting into the arguments about the wisdom of us...
  • ASP.NET Authentication – Multiple Domains w/ Same ApplicationASP.NET Authentication – Multiple Domains w/ Same Application In our series about ASP.NET authentication so far we’ve covered all the rather normal cases where you’d want to have the ability to log into different domains attached to the same application.&#...