Cookieless sessions

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

I was going back through some of the old mailing list threads, and I 
came across :
http://mail-archives.apache.org/mod_mbox/httpd-cli-users/200412.mbox/%3C6...@po...%3E

I read that Microsoft only added cookieless sessions to asp.net in order 
to support mobile devices that couldn't handle cookies. I also read 
about the obvious security risks that using this method causes.
Never-the-less, I tried resolving the issue by using a configuration 
like this:

   <Directory "/htdocs/Tests2">

       # Set custom headers
       <IfModule headers_module>
          Header set X-Powered-By "ASP.NET"
       </IfModule>

       Options FollowSymlinks
       AspNet Files Virtual
       Order allow,deny
       Allow from all
       DirectoryIndex Default.aspx

    </Directory>

    # Attempt to enable cookieless sessionstate
    # This still doesn't work
    <Location ~ "^/TestApp2/\(S\(.{24}\)\)/.*">
       SetHandler asp.net
       AspNet All
    </Location>

the \(S\(.{24}\)\) represents the string that is generated for the 
session key by the app. I end up with a 404 in the access log for 
/TestApp2/Default.aspx, which doesn't make much since, as it works when 
I'm using cookies for sessionstate.