Take the community feedback survey now.

AI OnAI Off

Jun 22, 2010
  4011
(0 votes)

Cookieless Session Support in EPiServer

No.

As in "No - we don't support cookieless sessions when using Friendly URLs". Your natural reaction is then probably to ask "Why not?". The basic design guidelines for our software is that we should build upon and extend the .NET / ASP.NET framework and that would imply that we should support cookieless sessions (CS from here on).

If you have never heard of CS before you probably want to check this article for some background information. http://msdn.microsoft.com/en-us/library/aa479314.aspx

As hinted in the article, the implementation of CS in ASP.NET is somewhat fragile in itself. There are a couple of guidelines that you have to follow in order for your site to work properly with CS. Basically you need to make sure that all yours that you put in the HTML response are relative or you need to call a special method (HttpResponse.ApplyAppPathModifier) to include the CS URL segment.

Another aspect of CS that is far from ideal is the fact that it is extremely easy to hijack an existing session - you simply need to copy the URL. Cookies are here to stay and my personal opinion is that CS is a leftover from the old "cookies are evil" debate.

Back to the techie stuff - why does this not work with FURL? All links that we generate from permanent links could be adapted to call ApplyAppPathModifier if we detect that CS is enabled. Unfortunately there is another thing that will break the solution. If you generate links in the standard ASP.NET way and that involves the System.Web.UI.Control.ResolveUrl method, you will implicitly call ApplyAppPathModifier and write the CS URL segment.

This is bad since there is no way for the FURL module to reliably detect the CS URL segment in a URL (short of doing nasty reflection tricks) and we need to do that in order to properly rebase all URLs when we do FURL rewriting.

Finally there are a lot of complications when dealing with CS links from JavaScript (which we do a lot from edit mode) which would require a significant investment to update and fully support CS.

To summarize: In order to support the somewhat brittle CS system we would need to introduce even more restrictions. Since there has been practically no requests for EPiServer to support CS we have decided to say "CS is unsupported" for the time being.

Jun 22, 2010

Comments

Please login to comment.
Latest blogs
A day in the life of an Optimizely OMVP - Opticon London 2025

This installment of a day in the life of an Optimizely OMVP gives an in-depth coverage of my trip down to London to attend Opticon London 2025 held...

Graham Carr | Oct 2, 2025

Optimizely Web Experimentation Using Real-Time Segments: A Step-by-Step Guide

  Introduction Personalization has become de facto standard for any digital channel to improve the user's engagement KPI’s.  Personalization uses...

Ratish | Oct 1, 2025 |

Trigger DXP Warmup Locally to Catch Bugs & Performance Issues Early

Here’s our documentation on warmup in DXP : 🔗 https://docs.developers.optimizely.com/digital-experience-platform/docs/warming-up-sites What I didn...

dada | Sep 29, 2025

Creating Opal Tools for Stott Robots Handler

This summer, the Netcel Development team and I took part in Optimizely’s Opal Hackathon. The challenge from Optimizely was to extend Opal’s abiliti...

Mark Stott | Sep 28, 2025

Integrating Commerce Search v3 (Vertex AI) with Optimizely Configured Commerce

Introduction This blog provides a technical guide for integrating Commerce Search v3, which leverages Google Cloud's Vertex AI Search, into an...

Vaibhav | Sep 27, 2025

A day in the life of an Optimizely MVP - Opti Graph Extensions add-on v1.0.0 released

I am pleased to announce that the official v1.0.0 of the Opti Graph Extensions add-on has now been released and is generally available. Refer to my...

Graham Carr | Sep 25, 2025

See all blogs