The primary mechanism by which the SP makes attribute and other session information available to applications is by "exporting" the data to a set of server variables or HTTP request headers that are generally exposed to web applications using the CGI (Common Gateway Interface) defined in the early days of the web.
...
| Info | ||
|---|---|---|
| ||
Currently, the SP supports the use of server variables on all versions of Apache and IIS versions greater than 7. You should always use this mechanism with web servers that support it. |
The safest mechanism, and the default for servers that allow for it, is the use of server variables. The term refers to a set of controlled data elements that the web server supplies to applications and that cannot be manipulated in any way from outside the web server. Specifically, the client has no say in them.
...
A fair amount of detail on this can be found in the secadv_20090615 topic from the older version of the software and it should be clear from the utter confusion you'll be in trying to follow that that you should stop using headers. The most particular point about ASP.NET is that it provides access to both the transformed headers (all caps, with the HTTP_ prefix) via the ServerVariables collection, and the untransformed input headers via the Headers collection. The latter is much safer to use.
...