cookieless session in web service

Hi Experts,

 Is it possible to implement cookieless session in web service. For asp.net, we can use state machine / sql server to store the sessionID. And I know it is possible to store the SessionID in the Querystring. However, when i execute a web method using Windows, i was prompted for some errors. The error sounds like the framework has problem in interpreting the (sessionID) in the url.

Does anyone has any clue on this. Thanks for your helps 

 

is it wise to store the session ID in a query string? that'll just set your users up for session hijacking and other similar attacks.

Plus the fact that you are limited to 255 characters in your URL...you may get your sessionID value trimmed out

In this case, how about store the sessionID in Sql server / State Server ? Is this a better approach ?

 Thanks,

if so, how do you retrieve the sessionID afterwards? remember the session ID (which is normally stored in a cookie) is used as the key to access session variables serialized into SQL Server or the ASP.NET session state server

Share with us why you are avoiding cookie in your web service implementation?

The client (.NET or non .NET) will somehow have a way to receive and keep the cookie.

For .NET client, all you need is to create a CookieContainer and attach it to your proxy.
The cookie issued from web service will be stored and resubmitted to server with each call automatically.

For other platforms, the client may have to store and resubmit the cookie manually.

In worst scenario, you may consider custom application-level session management instead of depending the features provided by ASP.NET.

Example:

Issue your custom session ID upon success authentication and get the session ID to be resubmitted in SOAP header for each call require retrieval of state.  Store your state whereever you like, be it in SQL or custom storage and use the session ID to retrieve the state for the client.