How to create Cookieless Session in .Net Core?

Question

Generally, we create a cookieless session till MVC 5, by configuring a sessionState attribute in Web.config. But whats the correct way to create cookieless sessions in the latest .net core like .Net 5

Answer 1

A lot depends what you need session for... Is it for authentication? If that's the case you should use JWT tokens, Microsoft Identity, OpenID Connect and/or OAuth.

Maybe it's for caching? You don't need session - use MemoryCache or Distributed Cache.

If you are using session for anything else - then you should rethink your application architecture, or at least be more specific in your question. As the comment says, why do you want to avoid the cookie in the first place?

Answer 2

As this answer explains HTTP is stateless and sessions are a way of faking state. You don't need it at all when you can pass eg a conversationID as a URL parameter and store the state in a database.

In addition,cookieless sessions are a very big security problem because the session identifier passed in the URL can be hijacked and reused to impersonate the user. Cookies, controlled and secured by the browser, are A Good Thing in this case. If you go on to pass some ID in the URL you should treat it as an authentication token, not just as a conversation ID.