My java applet downloads files from one of the asp.net page that streams the file out.

Problem: the session variables are null when the applet accesses the page. (so applet is accessing the page as a new blank session)

This didn't use to be a problem with 1.1.  The java applet would access the page and .net will automatically know that the applet is in the same session as the page accessed it)

Is the applet trying to access the session cookie of the containing page?  In 2.0 we added the HttpOnly attribute to the Set-Cookie header we send for the session state cookie.  Maybe that is interfering with the Java applet?

Normally setting HttpOnly has no effect on browsing pages since all this attribute does is prevent someone from programmatically accessing the cookie through the DOM.  I don't know though how a Java applet interacts with the cookie collection in IE.  Maybe it relies on the ability to get all cookies from the DOM object and send them back to the server?  In which case that would explain why the session cookie from the containing page is no longer being sent by the Java applet.

wow, I never knew 2.0 had a thing like this.  But nevertheless, since I don't know about it, I have never set it, unless somehow somewhere this property is defaulted to true.
It does seem that this is the problem though, since not only my java applet can't access the session variables, also windows media player can't as well.  I have a web form that streams back a video stream, IE sees that it's a video stream, and passes it to WMP, when WMP access the web form, in the request header (through sniffing the TCP packets stuff), there is also no info on the session id, hence when I debug and trace the page being accessed by WMP, once it reaches the part where it grabs session variables, it dies.  While in 1.1, everyone's happy, so must be something added in 2.0 that I don't know of.  Possibly this HttpOnly thing.  I will dig deeper into this HttpOnly thing to see if somewhere is defaulted to true.

Thanx sschack!

I've just checked, no where in my web project folder, nor the CONFIG folder inside the Microsoft.NET folder under windows, does it have any HttpOnly setting being set.

You are a genius!!
it is HttpOnly....only I don't know where it is being set...

I kept sniffing the packets, and I've cornered it down to sniffing that is set to IE on the FIRST ACCESS to my asp.net project.

and to my surprise:
Set-Cookie: ASP.NET_SessionId=ons0lye22wwbjxethw0pre55; path=/; HttpOnly
 is found in my header when I first access the 2.0 version of the project.

now, I have to find out why it's being set...because I don't have that setting being set to true anywhere on my computer....

We hardcode this setting in all of our features that issue cookies - session state, forms authentication and anonymous identification - to protect against client-side hijacking of the cookie.  If your app needs programmatic access to the cookies in the browser, add the following to global.asax

    void Application_EndRequest(Object sender, EventArgs e) {
        if (Response.Cookies.Count > 0)
        {
            foreach (string s in Response.Cookies.AllKeys)
            {
                if (s ==  FormsAuthentication.FormsCookieName)
                {
                   Response.Cookies[FormsAuthentication.FormsCookieName].HttpOnly = false;
                }
            }  
        }
    }

This shows turning off HttpOnly for forms authentication.  Just follow the same approach for session state.

Nice, Good work to both of you for figuring this out. I'm a java programmer also and i'll keep this in mind if I ever have to combine the two together and do something like this.

Out of curiosity - would you be able to post a mini-repro that shows the issue with the Windows media player content?

Also - for the Java applet - is there code in the applet that is grabbing the cookies from IE by way of the DOM?  I admit I have no idea how a Java applet in a browser gets access to IE's cookies - but if the applet has its own networking stack, and doesn't piggyback on IE's usage of Wininet - that would explain why for the applet case the HttpOnly cookies are lost.

I've tried your code, does seem to eliminate that HttpOnly from the:

Set-Cookie: ASP.NET_SessionId=x33sqfniuwu42xfqfmbsmnyu; path=/; HttpOnly

That header line I believe, is only seen on the first time when you access the asp.net project.
So when you access your default.aspx (or whatever your first page is called), the response from the IIS from your browser's GET will contain that line in the header.

As for WMP issue, I won't be able to post my code, because this software is not open source, and because the code won't help much without all the other crap that it uses...but to summarize it....

//just put this code in any code behind, and keep all the content from the .aspx page leaving the one line
//referencing the .cs
//just put a wmv file or avi or mpg file to the MemoryStream, my program grabs data from database,
//but should work the same
byte[] tempBytes = null;
MemoryStream ms = new MemoryStream(tempBytes, 0, tempBytes.Length);

Response.AddHeader("Content-Disposition", "inline; filename=\"abc.wmv\"");
Response.ContentType = "video/x-ms-wmv";
Response.OutputStream.Write(ms.ToArray(), 0, ms.ToArray().Length);
Response.End();

This is very standard code, setting that contenttype, and the inline, will tell IE to open the file, that will open WMP, and then WMP will try to open the file from the URL (NOT FROM CACHE).
Another way to ensure this works....put this code in a second page...not the first page you access...because you would need to let that HttpOnly thing gets set in IE first.

In terms of the java applet, I really have no idea either, in 1.1 it magically will get the session id from IE, and puts that sessionid in the GET header...(Not so for 2.0)
Right now I've modded the code to grab all the session data I needed from before from database, and put a key on it, and put the key on the querystring on the URL.
I've also modded the code to programmically have .net put the session id on the <param> on the applet, and have the applet programmically put the session on the GET header. (just in case if any session program causes me program later on)

Look at this...:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/pagexplained0002.asp

"HttpOnly. This property specifies whether the cookie can be accessed by client script. In ASP.NET 2.0, this value is always set to true. Internet Explorer 6 Service Pack 1 supports this cookie attribute, which prevents client-side script from accessing the cookie from the document.cookie property. If an attempt is made to access the cookie from client-side script, an empty string is returned. The cookie is still sent to the server whenever the user browses to a Web site in the current domain.

    Note   Web browsers that do not support the HttpOnly cookie attribute either ignore the cookie or ignore the attribute, which means that the session is still subject to cross-site scripting attacks."

Defaulted to true says here...but I was sure many pages I've seen says it's set to false...just have to find a way to false it....hopefully there's a setting somewhere that I can set....will keep you all posted when I find something.

That was my earlier point - for Session state, Forms Authentication, and and Anonymous Identification, ASP.NET always sets HttpOnly to true.  There is no config switch or other configuration option to turn it off.  Instead if an app needs to workaround this, you need some of the approaches outlined earlier (EndRequest processing, or modifying other app logic as you did with the session info).

Also - thanks for the other pointer on WMP.  We will take a look at it...

ohhh....icic....ok I'll keep hammering on from your code, will post solution when I find one.

I did it!
had to change some stuff to the code u posted though.

    void Application_EndRequest(Object sender, EventArgs e)
    {
        if (Response.Cookies.Count > 0)
        {
            foreach (string s in Response.Cookies.AllKeys)
            {
                if (s == "ASP.NET_SessionId")
                {
                    Response.Cookies["ASP.NET_SessionId"].HttpOnly = false;
                }
            }
        }
    }

add that to Global.asax
that will get rid of the HttpOnly from the Set-Cache line.

Now my videos are playing as it should.

Thanx sschack!