In ASP.NET, I'm a bit confused about role of cookies in session state. Whats is the difference between normal session state and cookieless session state?

Normal session state involves providing a cookie. The cookie contains a session identifier which is used by the website to match visitors up with their respective session values.

Cookieless session state uses the same principles, but doesn't use cookies to pass the session identifier around. Normally, this is passed as a parameter on the querystring.

e.g.

http://www.somewebsite.com/page.aspx?sid=jrkwojeqrojq3op349023231234r23rf2

ASP.NET is able to modify relative links found within the page and embed the Session ID in the URLs instead of storing it in a cookie.

Thus, as long as the user follows the path of links the site provides, session state can be maintained without using cookies. However, if the end user re-writes the URL, the session state instance will most likely be lost.

Further reading:

• MSDN - ASP.NET Session State

The cookie less session doesn't use a cookie is user's browser to store session state. Instead it stores the session either in the page itself or in the url. Read here for a comparison.

cookieless means that the sessionId is munged into the url for each request as opposed to setting a cookie on the browser.