Strange line in IE address bar and in source
This may or may not be a programming question, but one or two users of my website have some weird strings inserted into their address bar.
The address should be: http: // URL / Couple folders /page.aspx
but sometimes the same thing: http: // URL / (X (1) F (qHfgTf50ahMY47b-lnz3ovk89OA4AbMN4S-sYVZCgCULL)) /Folders/Page.aspx
The string is also in the action field like so:
<form name="aspnetForm" method="post" action="/**(X(1)F(qHfgTf50ahMY47b-lnz3ovk89OA4AbMN4S-sYVZCgCULL))**/<Page>.aspx" onsubmit="javascript:return WebForm_OnSubmit();" id="aspnetForm">
I'm not a server / IIS expert, so please excuse me if this is a stupid question, but what a weird line and should I / my clients be concerned?
source to share
It looks like you have cookieless sessions set to auto in your web config.
If the user allows cookies, their session ID is stored in a cookie in memory. If they don't, ASP.Net has moved the sessionID to the url and this is used to determine which user is making the request. The weird string of characters you see are sessionIDs for those people who have cookies disabled.
Nothing really to worry about, although it does make trying to hijack the session a little easier ... It probably wouldn't affect that.
Hope it helps ...
source to share
Check your sessionstate node web.config settings . The cookieless attribute on the sessionstate node must be set to false as shown in the following settings.
<sessionState mode="Off|InProc|StateServer|SQLServer"
cookieless="true|false"
timeout="number of minutes"
stateConnectionString="tcpip=server:port"
sqlConnectionString="sql connection string"
stateNetworkTimeout="number of seconds"/>
source to share
Paul is right that the sessionID is put in your cookieless user URL. This is not a problem for user users, but it poses a potentially significant problem for bots (the most significant Googlebots) that crawl your site to index and rank your site in search engines.
The bots will be identified as cookieless by your ASP.NET framework, which triggers a couple of 302 redirects from: // URL / autocookiesupportdetect, then to URL / (sessionID) / folders ... This 302 redirect is bad enough, but to make matters worse, Googlebot gets the SessionID every time it crawls your site and looks at every URL with sessionID as a duplicate page for indexing. This wreaks havoc on the pagerank file for every page where Google looks at the session id in the url.
The fix adds a definition file to your site to identify bots as accepting cookies, thereby serving them for cookies (no cookieless). Then you don't have to require your visitors to visit cookies and your whistle bots will be happy to see your pages without a sessionID in your URLs.
source to share