I am writing a simple proof-of-concept web service using ASP.NET MVC3 controller with JSON input/output. I want to allow a login based on a DB table and to return an API key and a session ID. With subsequent requests to other APIs I require passing both API key and a session ID.

How can I set up my MVC3 project so that neither cookie nor cookieless session is being used. I want the session ID from JSON request to be used instead and still have the convenience of a Controller.Session. Is this possible? I don't want to reinvent the wheel with my own session handling.

YOu can use the ISessionIDManager interface to create custom logic for storing and retrieving the sessionID.

You set in your web.config that the app uses your custom session id manager instead of the default one and then all you have to do is figure out how you want it to save to the request and retrieve from the request.