How does ASP.NET identify a request and match it to a previous server side session?
E.G:
Client sends first request, server side, setups a session variable. (e.g loggedIn) Request two comes in, how does the server match this request to the session it created last time? (e.g mac address, ip address etc.)?
I am interested in how this is secure.
There are two basic ways: a cookie and uri.
In a cookie mode, the ASPNET_SessionId cookie is appended to the very first response. The id can change but stays the same as soon as first item is put into the session. You can change the name of the cookie.
In a cookieless mode, the uri gets modified and the session id becomes part of it. Instead of http://foo.bar/qux you have http://foo.bar/(sessionid)/qux
Both modes are handled automatically depending on the configuraion (web.config, session section).
The security mostly depends on a secure channel. The cookie/url can be sniffed and reused if transmitted over unencrypted wire.