When using cookieless Forms Authentication, which relies on session values embedded and maintained in the URL, you must ensure that the session value appears in the URL for every page request; otherwise, the user's session is lost, and the user (who has presumably logged in and authenticated) gets logged out and has to authenticate again.
ASP.NET automatically maintains URL session values for you for all non-absolute URLs (those where the URL does not start with either http:// or a slash (/). That strategy means that ASP.NET handles most cases.
However, there are cases when ASP.NET does not handle embedding the session value in the URL. I came across one such case recently.
The requirement was to run through the Site Map file and dynamically create hyperlinks within different panel controls on a page. That seemed simple enough; all I had to do was to use the SiteMap class's methods to retrieve child nodes of the CurrentNode and create hyperlink server controls in code. The code to create the hyperlinks looked something like this:
Dim contentHyperlink as new hyperlink()
However, it turns out that in such cases, ASP.NET does not maintain the SessionID in the URL for you. A quick look at the page source in this case uncovered that all the URLs for the dynamically generated hyperlinks were absolute—and ASP.NET doesn't append the SessionID value to absolute URLs automatically.
To resolve this issue, you need to change the navigateUrl property assignment like this:
The ApplyAppPathModifier method embeds the SessionID into the hyperlink. The method's single parameter takes a virtual path.
Note that this works only when your web site has been configured to use cookieless sessions. That is, the web.config must declare session configuration as follows:
<sessionState cookieless="true" />
For a complete reference, visit MSDN.