From c9adbb9ae1741a60a9c2e9652d7c0b5667ea9460 Mon Sep 17 00:00:00 2001 From: Luke Latham <1622880+guardrex@users.noreply.github.com> Date: Mon, 4 Mar 2019 20:47:31 -0600 Subject: [PATCH] Session state/GDPR clarification (#11270) Fixes #11269 Bit of a *nit PR*. The original text is good. This just clarifies a bit further by explicitly stating that the site visitor must permit tracking under GDPR for sessions to work. --- aspnetcore/fundamentals/app-state.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/aspnetcore/fundamentals/app-state.md b/aspnetcore/fundamentals/app-state.md index c9856e2048..feb7fa0233 100644 --- a/aspnetcore/fundamentals/app-state.md +++ b/aspnetcore/fundamentals/app-state.md @@ -4,7 +4,7 @@ author: rick-anderson description: Discover approaches to preserve session and app state between requests. ms.author: riande ms.custom: mvc -ms.date: 06/14/2018 +ms.date: 03/04/2019 uid: fundamentals/app-state --- # Session and app state in ASP.NET Core @@ -58,7 +58,7 @@ Session state exhibits the following behaviors: * The app retains a session for a limited time after the last request. The app either sets the session timeout or uses the default value of 20 minutes. Session state is ideal for storing user data that's specific to a particular session but where the data doesn't require permanent storage across sessions. * Session data is deleted either when the [ISession.Clear](/dotnet/api/microsoft.aspnetcore.http.isession.clear) implementation is called or when the session expires. * There's no default mechanism to inform app code that a client browser has been closed or when the session cookie is deleted or expired on the client. -The ASP.NET Core MVC and Razor pages templates include support for [General Data Protection Regulation (GDPR) support](xref:security/gdpr). [Session state cookies aren't essential](xref:security/gdpr#tempdata-provider-and-session-state-cookies-are-not-essential), session state isn't functional when tracking is disabled. +The ASP.NET Core MVC and Razor pages templates include support for General Data Protection Regulation (GDPR). Session state cookies aren't marked essential by default, so session state isn't functional unless tracking is permitted by the site visitor. For more information, see . > [!WARNING] > Don't store sensitive data in session state. The user might not close the browser and clear the session cookie. Some browsers maintain valid session cookies across browser windows. A session might not be restricted to a single user—the next user might continue to browse the app with the same session cookie.