How does a server maintain the state of a session with a client?

Question

I'm reading about session management in ASP.NET and I'm a bit confused.

This is what I understand:

• When a client starts communication with my application, a session is created and the state of the session is maintained in a session object on the server.

• The browser gets a cookie with the session ID and every request that he wants to make with relation to the session needs to be sent with that cookie.

• The session ends when some rules are met.

• As long as the session is alive, the browser must have the cookie and the server must maintain the session object in memory.

Is this how it works or am I mixing things up? I read somewhere that the server can maintain the state with the cookie only but I don't understand if it's correct or possible (the last point in the bullet list).

Answer 1

You've got it right, that's how it normally works. In terms of cookies ASP.net does have a way of offering a session without a cookie, which it achieves by basically putting your cookie into the URL instead. That might be what you're thinking of.

Normally this isn't a great idea, it makes session hijacking as simple as copy pasting the victims URL into your own browser.

There are two ways that session state can store the unique ID that associates the client with a server session: by storing an HTTP cookie on the client or by encoding the session ID in the URL. Storing the session ID in the cookie is more secure but requires the client browser to support cookies.

From https://learn.microsoft.com/en-us/dotnet/api/system.web.configuration.sessionstatesection.cookieless?view=netframework-4.8