How does IIS7 determine the same session in a cookieless scenario?

Question

We have ASP.NET cookieless sessions (inproc), so URL contains the session id, ie S(dfasfdafasdfasfa)

We also have several clients going through proxy servers where it appears like our web server doesn't recognize the session id and without the session data they can't continue. I've tested our sites on open proxies and they work fine. But there is something going on with this particular client proxy server that causes this behavior.

I've examined package captures for the success and fail cases (provided by the client) and the raw HTML getting transmitted, including headers, is the same. The proxy server does not appear to be caching URLs because the correct session id is coming down.

So my thought is that IIS7 is using something in addition to the session id in the URL to determine a unique client. Perhaps something at the TCP/IP level? Rather than just App(http) level. Is this on track? Does anyone know the answer to this?

Unfortunately without being able to recreate this scenario locally I'm racking my brain hard.

Answer 1

Log the Request Url , SessionId and IsNewSesssion .... that should tell you where the problem lies.

I doubt you would see a valid session presented in the Url but not reflected in SessionId. If you see the value you expect reflected in SessionId but IsNewSession is true across multiple requests, then it's an app recycle issue.