I have an ASP.NET 4 site with url's having session string embedded in them. Due to this Google index the same page multiple times, all with different session id's. This is affecting my ranking. Earlier i also had the aspautodetectcookie string appended to the url. But i was able to remove it, however the session id embedded in the url remains a problem still.
If my url is http://www.somesite.com/ViewProduct.aspx?ID=12, it shows up like this http://www.somesite.com/S(yya4h4rf4gjh5eo4uazix2t055)X(1))/ViewProduct.aspx?ID=12. I want it to show like http://www.somesite.com/ViewProduct.aspx?ID=12 all the time.
Here are some settings in my web.config that may help you help me
<authentication mode="Forms">
<forms cookieless="UseCookies" loginUrl="~/AccessDenied.aspx" name="FORMAUTH" />
</authentication>
<sessionState mode="InProc" cookieless="false" timeout="15" />
<anonymousIdentification cookieless="AutoDetect" enabled="false" />
Now one user asked to change cookieless="true" to fix the problem. However in the artcle http://www.beansoftware.com/ASP.NET-Tutorials/Cookieless-Session-State.aspx the guy says that by adding cookieless = "true" session id 'will be' embedded in all page URLs.
Can anyone tell me how remove this session from the url - forever.
I am running on IIS 7 but do not have much access to the admin features.
If you set cookieless="false" that will solve the problem you are seeing with Google.
However this means that any browser, which doesn't support cookies, will get a new session per request. If you want more help, please tell us how you are using the sessions.
Related
I have an ASP.Net MVC app, making use of Forms Authentication, with the following config:
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="1440" slidingExpiration="true" />
</authentication>
The user count ranges between 20 and 40. Users log in and use the application without a problem...90% of the time.
However, we are finding that on a seemingly random basis, all users suddenly get logged out at the same time, and are presented with the Logon screen again.
The ELMAH log shows that the requests all still have their respective aspxauth cookies, yet the Request.User.Identity is unauthenticated, and has a blank Name.
Please advise where I can start looking as I am at my wits end on this.
I am developing MVC application.
I have added the below code in web.config to handle session.
<system.web>
<sessionState mode="InProc" cookieless="true" timeout="30" />
</system.web>
after adding this code , when I run the application , I get the following url in browser.
http://localhost:65344/(S(egpaesodxcoii0dxtczyi10c))/Login/LoginUser
I am confused about (S(egpaesodxcoii0dxtczyi10c)) this part.
if I remove this SessionState tag
<sessionState mode="InProc" cookieless="true" timeout="30" />
from web config then it start appearing normal like below
http://localhost:65344/Login/LoginUser
whats the issue ?
There is no issue.
When you use Cookieless sessionstates, the user's sessionId is embedded in the url. If you do not want this embedded you should consider setting Cookieless to false.
I recommend you have a read of this documentation it should outline the differences between the two.
Hope you find this useful.
There are two ways that session state can store the unique ID that associates the client with a server session: by storing an HTTP cookie on the client or by encoding the session ID in the URL. Storing the session ID in the cookie is more secure but requires the client browser to support cookies.
For applications that allow clients that do not support cookies, such as a variety of mobile devices, the session ID may be stored in the URL. The URL option has several drawbacks. It requires that the links on the site be relative and that the page be redirected at the beginning of the session with new query-string values, and it exposes the session ID right in the query string, where it can be picked up for use in a security attack.
You are encouraged to use the cookieless mode only if you need to support clients that lack cookie support.
So setting : cookieLess to False will work for you
<system.web>
<sessionState mode="InProc" cookieless="false" timeout="30" />
</system.web>
My current running configuration looks like this
<sessionState mode="InProc" timeout="30" />
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" protection="All" name="Auth_Cookie" path="/" slidingExpiration="true" timeout="30" />
so I expect it to at least let the user be logged in for half an hour (if he does not make any requests)
but the session time out is hit like after 3-4 minutes if the user is not active. I mean global.asax's Session_End event is hit in this time and then in Application_PostAcquireRequestState event I check if any session variables are null and if they are then I sign the user out and redirect him to the log in page. I cant see what is the problem. Am I misunderstanding how this whole works ? what should I do in order to achieve what I want. Thanks in advance
From your comment:
I am constantly rebuilding the solution. is that be it ? can it be
clearing session variables ?
So basically you are recycling the application pool killing everything stored in the session. The biggest problem with ASP.NET Session is that by default it is stored in-memory:
<sessionState mode="InProc"
This has the drawback that if the application pool is restarted you will lose everything you stored in it. And don't forget that the application pool could be restarted by IIS at any time. For example after some period of inactivity or if some CPU/memory thresholds are reached. Also if you deploy your application in a web farm, InProc session simply won't work because the nodes of your farm cannot share session information.
All those drawbacks are the reasons why I never use ASP.NET Session in my web applications and simply put this in my web.config:
<sessionState mode="Off"
I've seen this a few times in our logs and users have also reported it to us but have never really gotten to the bottom of the problem.
From time to time, a page will render from output caching with links that have a strange path value in. Say (X(3)S(5l53uwuaffkddojv4iwb3snm)). Presumably this occurs because the first render of the page has these links, and they are therefore cached with them.
This means that all urls on that page look similar to this.
http://www.example.com/(X(3)S(5l53uwuaffkddojv4iwb3snm))/foo/bar/index.htm
This looks identical to this question and the MSDN article "Understand How the ASP.NET Cookieless Feature Works", except that we use sessions or session cookies for our public site, but for 99% of our site, we don't actually use sessions. The remaining 1% uses session cookies for the user experience, so I don't see how this causes a problem with the rest of our site.
This part of the above article seems to reference the issue:
// Step 2: Check if we have already detected that Cookies are not
// supported. This is detected by looking for the string
// "/(X(1))/" in the URL
If (URL-contains-"/(X(1))/")
Report_cookies_are_NOT_supported_and_exit;
Currently the sessionstate looks like this:
<sessionState mode="SQLServer" sqlConnectionString="data source=myDatabase;user id=dbUsername;password=dbPassword" cookieless="false" timeout="10080" />
Anyone have any ideas on how I can resolve this issue? Is there a way we can prevent urls like this from displaying?
Make sure you have forced the usage of cookies:
<sessionState cookieless="UseCookies" />
and for the forms authentication cookie as well:
<forms loginUrl="~/Account/LogOn" timeout="2880" cookieless="UseCookies" />
If you don't do that and have a client browser which has cookies disabled you will get the aforementioned token in the url.
In my Web.config file, I have been trying to set the session timeout. I used the following code:
<configuration>
<system.web>
<sessionState timeout="1"></sessionState>
</system.web>
</configuration>
When I ran the app, the timeout was still set to the default 20 minutes. Trying to figure out why the settings are not applying. Please help! Thanks!
Don't be confused between ASP.NET session timeout (which is what you set) and Forms Authentication cookie timeout which is something entirely different and controlled by the <forms> tag:
<authentication mode="Forms">
<forms
loginUrl="/login"
timeout="1" />
</authentication>
ASP.NET session uses cookies to track users (it has nothing to do with authentication) and associate their unique id with a hashtable stored on the server. Forms authentication on the other hand is a means of tracking authenticated users in ASP.NET. It uses cookies but it is a different cookie than the ASP.NET session.